From the Finance Monthly Global Awards 2017 Insurance and Reinsurance Lawyer of the Year
A BUYER’S GUIDE TO
CYBER LIABILITY INSURANCE COVERAGE A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
2ND EDITION Thomas H. Bentz Jr.
Bentz
A Buyer’s Guide to Cyber Liability Insurance Coverage 2nd Edition
by Thomas H. Bentz Jr. Supplement by Kaylee A. Cox
Mr. Bentz is a partner at Holland & Knight LLP in Washington, D.C. Š Copyright Thomas H. Bentz Jr., 2017. All rights reserved. Portions of this text have appeared in articles written by the author and may be included in future articles.
TABLE OF CONTENTS
Page
I. INTRODUCTION........................................................................................ 1 II.
OVERVIEW OF A TYPICAL CYBER LIABILITY INSURANCE POLICY.......... 3
A. B. C. D. E. F.
III.
TYPICAL STRUCTURE FOR A CYBER INSURANCE PROGRAM............... 15
IV.
UNIQUE COVERAGE ISSUES FOR CYBER INSURANCE........................... 16
A. Cross Over with Other Types of Insurance Coverage..................................................16 B. Social Engineering Fraud / Phishing Coverage...........................................................18 C. Logistics Issues.........................................................................................................19
V.
KEY PROVISIONS TO NEGOTIATE IN A CYBER LIABILITY POLICY......... 20
A. B. C. D. E. F. G. H.
VI.
SELECTING THE “RIGHT” POLICY LIMIT, RETENTION AND INSURER.... 46
A. Selecting the Right Policy Limit..................................................................................46 B. Selecting the Right Retention.....................................................................................48 C. Selecting the Right Insurer........................................................................................48
What is Covered..........................................................................................................3 Bells and Whistles – Important Extras..........................................................................9 What is Not Covered – Look to the Definitions (Not Just the Exclusions).....................10 Understanding Claims Made Coverage......................................................................11 Understanding Duty to Defend Coverage...................................................................12 Advancement/Reimbursement of Defense Costs........................................................13
Cyber Insurance Is Not a Commodity.........................................................................20 Need to Negotiate Coverage......................................................................................21 General Recommendations for Buying Cyber Insurance Policies................................22 Negotiating the Coverage Grants...............................................................................23 Negotiating Key Definitions........................................................................................25 Negotiating Key Exclusions........................................................................................28 Negotiating Key Terms and Conditions.......................................................................35 Negotiating Excess Policies.......................................................................................41
VII. CLAIMS HANDLING................................................................................ 50
A. B. C. D. E.
Reporting a Claim......................................................................................................50 Defending a Claim.....................................................................................................52 Reservation of Rights Letters and Other Insurer Responses.......................................54 Common Mistakes.....................................................................................................56 Insurance Checklist for Defending Cyber Liability Claims...........................................57
VIII. SUPPLEMENTING INSURANCE COVERAGE WITH BREACH PREPAREDNESS.................................................................................... 59 IX. CONCLUSION......................................................................................... 63 GLOSSARY OF COMMON CYBER LIABILITY INSURANCE TERMS.................... 64 CYBER LIABILITY INSURANCE........................................................................ 81 MEET THE TEAM.............................................................................................. 85 RECENT INSURANCE PUBLICATIONS FROM HOLLAND & KNIGHT.................. 90 ABOUT HOLLAND & KNIGHT LLP..................................................................... 92 SIGNIFICANT FIRM RECOGNITIONS................................................................. 92 SIGNIFICANT INSURANCE TEAM RECOGNITIONS........................................... 93 ABOUT THE AUTHOR....................................................................................... 94
The information contained herein is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different, and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult expert legal counsel.
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
I. INTRODUCTION “My message for companies that think they haven’t been attacked is: ‘You’re not looking hard enough.’ ” James Snook, deputy director in the office for cyber security, UK Government cabinet office, London - April 2016 The last several years have taught us that no matter how strong your IT defenses are, no matter how well you train your employees, and no matter how much time or money you spend on network security, you will experience a breach. It is not a matter of if, it is a matter of when. Data breaches are expensive. According to the 2016 Ponemon Institute Cost of a Data Breach Study, the average cost of a data breach in 2016 was $7.01 million, up from $6.53 million in 2015. A data breach may also result in business interruption losses, loss of intellectual property, fines and penalties, and significant harm to a company’s reputation. For this reason, many companies turn to cyber liability insurance to try to minimize losses in the event of a breach. Unfortunately, cyber insurance policies are both complicated and rapidly changing. There is no standard policy form which means that the coverage offered by one insurer may (and often does) differ dramatically from that offered by another insurer. There is little agreement between insurers on what should be covered, when the coverage should be triggered or even how basic terms should be defined. These differences make understanding what is and is not covered very difficult. Symantec discovered more than It also makes it nearly impossible (or at 430 million new and unique least foolish) to purchase this coverage pieces of malware in 2015. This based on price alone. Notwithstanding, is a 36% increase from 2014. a strong cyber liability insurance policy may offer significant protection to companies. In some cases, it may even save a company from financial and reputational ruin. The purpose of this book is to provide a basic understanding of the complexities of cyber liability insurance and to offer some tips to help insureds obtain the strongest possible protection. As described in more
1
detail ahead, cyber liability insurance policies vary widely, with dramatic differences in coverage. As a result, the information below cannot and should not replace consultation with an experienced cyber liability insurance broker and an insurance attorney specializing in cyber liability insurance policy reviews. Cyber Insurance – A Brief History The Rapid Growth of Cyber Insurance The cyber insurance market has seen rapid growth over the last six years. In 2016, Advisen estimates that 65% of companies purchase some form of cyber insurance. This is an 85% increase from 2011 when only 35% of companies purchased the coverage. Advisen’s Information Security and Cyber Risk Management – the Sixth Annual Survey on the Current State of and Trends in Information Security and Cyber Risk Management, October 2016 Cyber liability insurance is a relatively new concept. The first policies did not appear until the late 1990s and there have been constant changes to the forms and the protections offered ever since. Today, there are approximately 30 insurers that offer some type of meaningful cyber risk and data privacy coverage. However, the coverage provided varies wildly between different insurers. In addition, the market is in flux with new coverage types and new coverage forms appearing nearly as often as new cyber claims are reported. JP Morgan is a company that has 2,000 people dedicated to cyber security. They have spent $250 million dedicated to cyber security. They did everything right, and they still got hacked Erik Avakian, Chief Information Security Officer, Commonwealth of Pennsylvania, USA - Sept 2015 Because there is so much difference in the coverage, it is imperative that insureds understand what coverage they need, what coverage is being offered and what risks they will need to self-insure against even after they purchase coverage. It cannot be stressed enough that comparisons of cyber policies based on price alone are nearly meaningless for this line of coverage.
2
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
II. OVERVIEW OF A TYPICAL CYBER LIABILITY INSURANCE POLICY Cyber insurance policies generally contain both first-party and third-party coverage. First-party coverage insures against an insured’s own losses such as the cost to notify insureds of a cyberattack or lost business income resulting from a breach or cyberattack. Third-party coverage insures against liability to third-parties caused by a breach or cyberattack. Not all coverage grants are available to all insureds. For example, strong business interruption coverage may be extremely difficult to find for a large retail business. It is also important to know that the pricing for this coverage may vary significantly depending on the current market conditions. In fact, quoted premiums may vary significantly by insurer for the same risk. It is not uncommon to see quotes that are 20% to 30% higher for a risk from one insurance carrier to the next. Given this volatility, it is imperative that insureds work with an experienced advisor who knows which markets will be interested in and competitive for the risk.
A. What is Covered
Perhaps the easiest way to understand what is covered by a cyber liability insurance policy is to break down the various coverage grants into three general categories. The first category contains the essential coverage grants – the coverage necessary to stop and contain a data breach and then respond to plaintiffs and regulators who allege they were injured by a data breach. The second category includes first-party losses to the insured company as a result of the breach (e.g., business interruption coverage). The final category of coverage grants includes coverage for theft/property loss. This category is similar in some respects to crime and general liability coverage. Different insurers may label these coverage grants differently. Some will split them out into different coverage parts with different limits and retentions and some will only offer some of the protections. The lack of uniformity is part of the reason that comparing cyber liability insurance policies can be so difficult.
3
1. Essential Coverage Components
• Loss Containment • Third-Party Liability • Regulatory Defense and Penalties • Online Media Liability Protection • PCI Fines and Assesments
2. Business Interruption/Expense Coverage
• Network/Business Interruption • Extra Expenses
3. Theft/Property Loss Coverage
• Data Loss and Restoration • Cyber Extortion • Computer Fraud • Improper Electronic Transfer of Funds
1. The Essential Coverage Grants
a) Loss Containment Coverage
• Forensic Investigation Coverage Covers the costs and expenses related to determining whether a cyberattack has occurred, how it occurred, and how to stop the attack/loss of data. Some policies also cover work needed to prevent future breaches.
• Crisis Management Costs Covers crisis management and public relations expenses to assist in managing and mitigating a cyber event. Some policies will also cover the costs related to setting up a post breach call center. b) Third-Party Liability Coverage
• Notification / Credit Monitoring Costs Covers costs related to notifying customers and others about a cyber event as well as any mandatory
4
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
credit/fraud monitoring expenses. Most policies will cover credit monitoring for one year. Some policies will also cover costs necessary to restore stolen identities. Insureds should be sure that their insurance will provide credit monitoring from as many credit monitoring services as are required by law. Many cyber policies only provide for one credit monitoring service. • Litigation and Privacy Liability Expenses Covers defense costs, judgments, settlements and related liabilities caused by plaintiffs who bring suit against the insured for various theories of recovery due to the cyber event. Some policies only provide this coverage if there is theft of data (e.g., a hacker obtains personally identifiable information). Other policies will provide this coverage even if there is an intrusion without theft. This is an important distinction and may result in a significant difference in the coverage provided.
c) Regulatory Defense and Penalties Coverage
• Regulatory Defense and Penalties Coverage Covers defense costs to prepare for and defend against regulatory proceedings including legal, technical and forensic work. Some policies also cover certain fines and penalties that Coverage Tip may be assessed Be sure that your policy covers against the damage inflicted on a third-party insureds as well (i.e., transmitting a virus to a as costs related third-party computer system. Not to responding all policies offer this and some to government inquiries about only offer it by endorsement. the cyber event.
5
Special Note About PCI Fines The Payment Card Industry Data Security standard (PCI DSS) is a set of security standards intended to make sure that all companies that use credit card information do so in a secure manner. Failure to comply with the PCI DSS standards may result in significant fines and penalties. Unfortunately, many insurers place a sublimit on their coverage for PCI fines. This can have real consequences for an insured who purchases $10 million in coverage that may only have $250k in coverage for a PCI assessment. Insureds are well advised to carefully consider how much coverage they have and need for this exposure. Cyber liability insurance is one of the few insurance policies that will cover fines and penalties. This is extremely valuable when dealing with regulators from multiple states who are enforcing different and even inconsistent laws.
d) Online Defamation, Copyright and Trademark Infringement Coverage
• Online Defamation, Infringement
Copyright and Trademark
Covers costs related to claims of defamation, copyright and trademark infringement for material published on the insured company’s website. This coverage is not for losses related to a data breach or intrusion. Instead, it is for improper use of information by the insured company. For example, if the company’s website uses a photo of a customer without the customer’s permission. The coverage is generally only available for website activities – it does not cover print or other types of media.
6
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
2. Business Interruption and Expenses Coverage
• Network Business Interruption Coverage Covers lost income and operating expenses due to a “material interruption or suspension” of an insured’s business caused by a “network security failure.” Definitions of “material interruption” and “network security failure” vary greatly between policies. For example, some policies will only include a data breach whereas others will also include introduction of a virus or other type of disruption. What is covered may also vary significantly. Depending on the policy, coverage may be available for: (1) income lost when the insured cannot sell its product because its computer system failed; (2) dependent business interruption; or (3) extended business interruption. Currently, only a few insurers offer dependent and extended business interruption coverage on their policy forms. Coverage Tip Some insurers only offer these Some insureds purchase business extensions by interruption because it provides endorsement an added incentive to the insurer and some will to handle and resolve claims more not offer the expeditiously. coverage.
• Expense Coverage Covers certain expenses necessary to expedite recovery from an electronic disruption. Covered expenses are generally fairly limited and subject to lower limits of liability. Some policies only cover these expenses if the expense “reduces” the loss. This is tricky since it is often hard to know whether an extra expense will reduce the loss at the time the expense is incurred.
7
3. Theft / Property Loss Coverage
• Data Loss and Restoration Coverage Covers the costs of retrieving and restoring data, hardware, software or other information damaged or destroyed in a cyberattack. Some policies will also cover damages caused when an employee accidentally erases data. This coverage does not apply if the employee acted intentionally. It also does not typically cover costs for upgrading or otherwise improving the software during a restoration process.
• Cyber Extortion / Ransomware Coverage Covers costs related to hackers who attempt to extort money by threatening to release sensitive information/data if a ransom is not paid as well costs related to hackers who attempt to hold a network or data on the network hostage. Typically, this coverage will pay for: (1) the money necessary to meet the extortion demand; (2) the costs of a Ransomware consultant/expert According to McAfee Labs’ to negotiate with 2016 Threats Report, a single the extortionist; and (3) the costs ransomware crime organization of an expert to netted $121 million during the stop the intrusion first half of 2016. and block future extortion attempts. This may be extremely valuable coverage since many companies have little or no experience negotiating with extortionists.
8
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
• Computer Fraud Coverage Covers losses related to the loss or destruction of the insured’s data as a result of criminal or fraudulent cyberattacks. A typical scenario is where a hacker obtains information about an insured company’s client and uses that information to withdraw money from the client’s bank account through an ATM. This coverage grant does not cover fraudulent acts of employees, independent contractors or persons under the insured’s supervision.
• Improper Electronic Transfer of Funds Coverage Covers lost income and operating expenses due to a material interruption or suspension of an insured’s business caused by a network security failure. This coverage grant requires the fraudulent transfer of funds from one financial institution to another. These last two coverage grants are increasingly difficult to obtain in off-the-shelf cyber liability forms.
B. Bells and Whistles – Important Extras
The number of companies Coverage Tip purchasing cyber liability insurance has increased Insurance companies are uniquely significantly in the last suited to help handle and resolve cyber several years. As a result, liability claims. Their relationships with some insurers have started specialists and experts in this area often offering their insureds access allow their insured companies to resolve to specialized consultants such as data breach coaches, claims faster and for significantly less expert forensic and crisis money than if an insured tried to handle management professionals and a claim on its own. attorneys as an added benefit of purchasing coverage with their company. For some insureds, these specialized consultants and professionals may be extremely valuable.
9
Coverage Tip Many companies have retained their own computer/forensic experts and legal professionals to review and/or vet their computer systems, apps and related services. Companies that have done so should check their policies to ensure that they will be allowed to use their preferred experts and professionals in the event of a data breach or intrusion. Some policies will only insure losses if the insured company uses one of the experts or professionals included on the policy’s “panel list.” This may be extremely frustrating to insureds. Fortunately, most insurers are willing to add an insured’s preferred expert and/or professional to the policy by endorsement if this is negotiated prior to when a claim is made. According to one study, companies that had insurance paid less than one-third as much to resolve claims than companies that did not have insurance. This may be because insured companies have access to these experienced professionals. The fact is that most companies are not set up to handle a data breach or other cyber-related claims on their own. Having access to known and vetted experts and professionals in the cyber/data breach fields, may save an insured time and money and may reduce losses or event help prevent future losses from occurring. Many policies also offer insureds access to IT assessment services, system audits, training and compliance forums and even sample policies to respond to a data breach. Again, these “extra” services may be among the most valuable components of the coverage.
C. What is Not Covered – Look to the Definitions (Not Just the Exclusions)
Each coverage grant in a cyber liability insurance policy will have its own set of exclusions that will apply. Typical exclusions and tips on how to negotiate those exclusions are discussed below. However, exclusionary language is not limited to the exclusions section. Insureds must also consider a policy’s definitions. For example, in some policies, the term “computer system disruption” is limited to a data breach. In other policies, this term also includes
10
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
the introduction of a virus or spam-mail. This could have significant implications for coverage. Although not technically an exclusion, the more narrow definition has a similar effect. In fact, the definition section is often where many limitations on coverage appear in a policy. This makes comparing policies between insurers extremely difficult. It is also complicated because insurers rarely use the same terms for a specific concept. For example, one insurer may use the term “computer system disruption” whereas another uses “security failure.” This lack of uniformity makes comparing terms and coverage grants difficult.
D. Understanding Claims Made Coverage
Cyber liability insurance Coverage Tip policies nearly all have at least some coverage grants When purchasing cyber liability coverage, written on a claims made it is important to negotiate the retroactive basis. This means that for a date. Many policies only cover cyberattacks claim to be covered, it must or data breaches occurring after the be made during the policy retroactive date. This may leave an insured period and the wrongful act must occur after a pre-set without coverage for a network security retroactive date (generally breach that occurred, but was undetected, the inception date of the before the retroactive date. first cyber liability policy provided by the insurer) but before the end of the policy term. Even within the policy period, insureds are generally required to give notice “as soon as practicable” and often within a set number of days. Although some policies may relax (or restrict) these requirements, claims made policies are extremely time sensitive. Thus, it is imperative that insureds recognize when a claim has been made and report such a claim promptly. Failure to do so may result in a denial of coverage. To help soften the effect of claims made coverage, many policies permit an insured to provide notice of any “circumstance” that may give rise to a claim in the future. Giving notice of a circumstance is generally discretionary but it can have some advantages. For example, if a company properly notices a circumstance during the policy period, the insurer will generally consider a subsequent claim that arises from that circumstance to be “made” during the
11
policy period in which the insured provided the notice. This may allow a matter that does not become a formal claim until after the policy period has expired to be covered by the policy. The benefit of this is that subsequent policy limits will not be impaired by any claims arising from the noticed circumstances. On the other hand, because giving notice of a circumstance creates a potential increase in exposure for the insurer, most policies demand a high degree of specificity about the circumstance in order for coverage to apply. Failure to provide sufficient details may result in coverage being denied by the current insurer and may trigger an exclusion in a future policy. This complicates the decision to report a circumstance, especially if the company is changing insurers or relevant coverage terms, including limit. In addition, it is possible that the insurer will count the potential, increased exposure from the notice of circumstances against the insureds. This could result in a higher renewal quote or, in a worst-case scenario, the refusal to quote the risk going forward.
E. Understanding Duty to Defend Coverage
Some cyber liability policies are written on a “duty to defend” basis while others are written as “non-duty to defend.” A duty to defend policy means that the insurer (not the insured) controls the defense and claim strategy. Decisions such as which law firm to use, whether and how to defend a claim, and on what terms a claim should be settled are determined by the insurer in this type of policy. A non-duty to defend policy requires the insureds to retain and pay for counsel to defend a claim. The insurer will then reimburse the insured for its expenses. Many insureds prefer a non-duty to defend policy because it gives the insureds more control over the defense of the claim. However, this additional control comes with insurer oversight. The non-duty to defend policy also requires the insureds to obtain the insurers’ consent prior to incurring defense costs and/or agreement to a settlement. Failure to obtain that consent may leave insureds responsible for paying all or a portion of their expenses. In short, although the insured controls the defense, the insured must still work with its insurers if it hopes to have its expenses covered by the insurance policy.
12
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Some companies may prefer a duty to defend policy – especially if they feel unequipped to handle a data breach on their own. However, it is generally best for insureds to request the option to defend claims on their own. At a minimum, insureds should consider requesting the right to control the defense of regulatory proceedings that may be covered by the cyber liability policy.
F. Advancement / Reimbursement of Defense Costs
1. Advancement Versus Reimbursement
Another concern raised by a Coverage Tip non-duty to defend policy is how and when the insurer will Make sure that your reimbursement or handle the expenses. Some advancement provision specifies when insurers will reimburse the payment by the insurer must occur. insureds for their expenses, Some forms say payment must be others will agree to advance made within 60 days, others say only such costs. The reimbursement approach requires the insured that payment must be made prior to the to pay expenses and then ask final resolution of the claim. The latter is the insurer to reimburse them. much less preferable. This may put a burden on some insureds to front defense costs for several months until the insurer pays the reimbursement. For this reason, many insureds prefer advancement policies. With an advancement policy, the insurer pays the expenses directly to the defense firms so that the insured does not have to pay and then wait to be reimbursed. However, many insurers will require the use of a pre-selected “panel counsel” law firm before it will agree to advance defense costs. Some insureds like this, others do not. Most reimbursement and advancement clauses are subject to two conditions: (1) the parties must agree to an appropriate allocation of the defense costs (i.e., covered and uncovered losses), with only covered losses subject to reimbursement/advancement, and (2) the insurance company must receive the insureds’ agreement to repay the insurance company if it is ultimately determined that the insureds’ losses are not covered by the policy. Allocation is necessary if a lawsuit involves both covered and uncovered claims. Similarly, allocation is necessary if a lawsuit names both insured
13
and uninsured persons as defendants, and both parties are represented by the same law firm. For this reason, a common reimbursement/advancement clause provides that if the insureds and the insurance company can agree on an allocation between covered and uncovered losses, the insurer will advance, on a current basis, the amount allocated to covered loss. If the parties are unable to agree, a typical reimbursement/advancement clause will require the insurance company to pay only the portion of defense costs it deems reasonable until a different allocation is determined by negotiation, arbitration or a judicial proceeding. Some parties will give the insured the option of submitting an allocation dispute to binding arbitration. Some cyber liability policies require the insured to guarantee the undertaking. For example, one advancement provision provides as follows: As a condition of any advancement of defense expenses, the insurer may require a written undertaking on terms and conditions satisfactory to the insurer guaranteeing the repayment of defense expenses paid on behalf of the insured if it is finally determined that Loss incurred by such insured would not be covered by this policy (emphasis added). An insurer could argue that the guarantee of repayment translates into the need to collateralize the advancement. Obviously, this could be problematic as many insureds may lack sufficient collateral to support the advancement of what could be millions of dollars worth of defense fees. Although it is debatable whether an insurer would be successful with this argument, insureds should be cautious about agreeing to such a provision.
2. Defense Costs Within the Policy Limit
Finally, it is important to remember that defense costs generally erode the policy limit. Thus, every dollar spent defending a claim reduces the limit available to resolve any liability payments for the matter. For example, if a policy has a $1 million limit and $400,000 is spent on defense costs, only $600,000 would be left to satisfy any judgment or settlement in the matter. This is a particularly important point for cyber liability insurance policies because many cyber policies have multiple coverage grants with separate retentions, limits and conditions. Insureds should keep this in mind when selecting what limits and what aggregate of coverage they need.
14
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
III. TYPICAL STRUCTURE FOR A CYBER INSURANCE PROGRAM Insureds who seek more than $10 or $15 million in cyber liability insurance coverage will generally need to purchase coverage from multiple insurers. This is because few insurers today are willing to provide more than $10 or $15 million of coverage for any one risk. In the United States, insureds that desire more than $10 or $15 million in coverage typically layer or stack insurers. The first layer (or primary policy) will set forth the general terms and conditions for the entire program. Excess policies provide any needed additional limit. In this model, the primary insurer bears 100% of the risk of loss up to its limit. Then, the first excess insurer will bear 100% of its layer on, and so on. One alternative to the layered structure is a quota share program. This is more popular in Europe and rarely used by most United States-based insurers. A quota share program allows the insurers to share the risk across a program in proportion to the premium they receive. This may be easiest to understand graphically:
Traditional United States Model Layered or Stacked Insurance
Traditional United Kingdom Model Quota Share Insurance
Excess Insurer 4
$10M excess $40M
Insurer E – 20% of loss
Excess Insurer 3
$10M excess $30M
Insurer D – 20% of loss
Excess Insurer 2
$10M excess $20M
Excess Insurer 1
$10M excess $10M
Insurer B – 20% of loss
Primary Insurer
$10M primary limit
Insurer A – 20% of loss
$50M
15
Insurer C – 20% of loss
IV. UNIQUE COVERAGE ISSUES FOR CYBER INSURANCE
A. Cross Over With Other Types of Insurance Coverage Cyber liability policies are not the only place where an insured might find coverage for a cyber event. Depending on the losses and/ or allegations, several other types of insurance policies may also respond to a cyber-related claim.
• Directors and Officers (D&O) Coverage One of the largest Providing Notice potential exposures Since late notice may result in a total in the wake of a cyber event has loss of coverage, knowing when you turned out to be must provide notice on a claims made derivative actions policy is extremely important. This can against the board of be confusing with cyber claims, which directors for failure to exercise proper can touch on multiple lines of coverage. business judgment Generally, it is best to provide notice to in preparing for all potential insurers at the time of the or dealing with a breach to help ensure that an insurer cyber event. These cannot claim that the notice was types of derivative provided too late to be covered. claims may be covered under a D&O policy. Other third-party claims against the directors and officers of the insured company may also be covered by a D&O policy.
• Errors & Omissions / Professional Liability Insurance (E&O) Coverage An E&O policy may provide some cross-over coverage for a cyber claim. For example, law firms have a duty to keep their clients’ information confidential. Failure to keep personally identifiable information confidential as a result of a data breach may be covered by a law firm E&O policy. However, some insurers have denied such claims arguing that a data breach is not caused by a wrongful act by the law
16
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
firm. Regardless, even the broadest E&O policies are unlikely to provide notification/credit monitoring coverage or full coverage for forensic investigations. As such, a cyber policy will likely be needed for full protection.
• Commercial General Liability (CGL) Coverage Many CGL policies offered at least some coverage for a cyber event. For example, many CGL policies covered invasion of privacy or privacy/confidentiality allegations. Currently, however, most CGL policies add an exclusion for cyber events making coverage for a cyberattack increasingly rare under a CGL policy.
• Fiduciary Liability (FI) Coverage Certain provisions of the Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act require prompt notice of a data breach or privacy event and provide strict penalties for failure to comply with the laws. A strong FI policy may respond to some of the notice expenses as well as certain penalties from a cyber event. However, as noted with E&O coverage, it is unlikely that a FI policy would cover notification/credit monitoring or full, forensic investigations.
• Employment Practices Liability Insurance (EPLI) Coverage EPLI policies may cover certain allegations by employees that the company failed to protect their personally identifiable information. This is highly dependent on the allegations made by the employees. Some EPLI policies may also provide coverage for third parties. However, these protections are generally only available where the plaintiff can show discrimination or harassment. EPLI policies are also unlikely to cover credit monitoring or notification costs.
17
• Crime / Fidelity Coverage Finally, it may also be possible to find some coverage for a cyber event/data breach under a crime/fidelity policy. Again, this is dependent on the damages alleged. For example, some crime policies will include a computer fraud rider that may allow coverage for certain expenses related to customer communications, public relations, lawsuits, regulatory defense costs, and fines imposed by credit card vendors.
B. Social Engineering Fraud / Phishing Coverage
One of the more common and costly potential coverage gaps is the lack of coverage for “voluntary transfers” related to social engineering fraud or phishing attacks.
Phishing Attacks on the Rise Phishing attacks are not only more common but are becoming more successful. According to Verizon’s 2016 Data Breach Investigation Report, 30% of phishing e-mails were opened by their intended targets in 2016 and 12% of those recipients went on to click on the malicious attachment that enabled the attack to succeed. This is up from 2015 when 23% of phishing emails were opened.
There are many variations on this scam but essentially, the CFO receives what appears to be a legitimate email from a client or vendor asking the CFO to wire money to an account. The email often looks completely real and, in fact, is often the result of a hacker breaking into the client or vendor’s system, allowing the hacker to send messages from the client or vendor’s actual email address. Only after wiring the money (often multiple transfers and increasingly larger sums) does the CFO learn that he or she has become a victim of fraud. This type of fraud is increasingly common, hitting companies large and small and across several industries including banks, manufacturers, retailers and even several law firms. According to the FBI, phishing attacks have cost businesses more than $2.3 billion in losses in the last three years. In fact, Stu Sjouwerman, Founder and CEO of KnowBe4 estimates that phishing attacks are the number one penetration point for most internet crime.
18
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Unfortunately, many companies are not covered for this type of loss even if they purchase cyber liability insurance coverage. Most cyber insurers will not cover this loss because it was not the insured’s system that was hacked – instead, it was the insured’s client’s or vendor’s system that was breached. Without a breach, there is no covered loss under the policy despite the obvious fraud on the insured. Adding insult to injury, the insured’s crime/fidelity bond policy will typically not respond because there is no “theft.” Generally, crime policies consider this type of social engineering fraud a “voluntary transfer” which is specifically excluded from coverage. This exclusion applies even though the CFO was tricked into wiring the money. See Apache Corp. v. Great American Insurance Co., No 15-20499 (5th Cir. Oct. 18, 2016), holding that the insurer was not liable for $7 million in company funds that were voluntarily transferred. The most frustrating and unfortunate part of this situation is that coverage for this type of social engineering fraud is generally available upon request on most crime policies and some cyber liability insurance policies. Moreover, there is usually only a nominal additional premium required for the coverage. It is just that most companies do not know to ask for it.
C. Logistics Issues
One of the most difficult things about a cyber event is coordinating the various types of coverages that may apply. Coordinating limits, retentions/ deductibles and other coverage requirements may be difficult. In addition, because multiple types of policies may apply, there may be problems coordinating defense counsel (different insurers may not approve of a firm required by another Coverage Tip insurer or there may be disagreement Consider the following when coordinating coverage: between insurers • Priority of Coverage-Which Policy Goes First? about reasonable • Potential Allocation Issues hourly rates). • Potential Issues with Choice of Counsel • Potential Issues with Attorney Hourly Rates The claims made requirement of many • Other Insurance Clauses of these policies may also present problems for insureds in the event of a claim. Insureds are well advised to coordinate their coverage in advance so they are not attempting to resolve these issues for the first time after a cyber event has occurred.
19
V. KEY PROVISIONS TO NEGOTIATE IN A CYBER LIABILITY POLICY A. Cyber Insurance Is Not a Commodity
Cyber liability policies are unlike many other types of insurance policies. There is no standard cyber liability insurance form. There is a lack of uniformity in terms and conditions, as well as in scope of coverage. As a result, comparing the premiums of cyber liability Real Life Example of how Failure to insurance is not informative. Negotiate May Limit Coverage Instead, insureds must The only service an insured company compare and contrast each provided was moving goods from point cyber liability policy to A to point B. The E&O policy (which the ensure that it meets their company had purchased for several years) risk transfer needs. Even the had an exclusion that said if the goods simplest cyber liability policy were damaged, lost or the shipment was has an intimidating number of detailed definitions, delayed, there was no coverage. This exclusions and conditions, exclusion essentially made the coverage with nuances of wording worthless to the company. that may have very costly consequences. Narrow definitions and overly broad exclusions found in many off-the-shelf policies may mean the difference between a policy covering a multi-million dollar loss or one that leaves insureds to pay the tab. Fortunately, cyber liability insurance policy forms are not cast in stone. There is sufficient competition in the marketplace and many cyber liability insurers are willing to consider suggestions and, in varying degrees, to tailor policies to meet an insured’s needs by means of endorsements. Too few insureds avail themselves fully of this opportunity and many discover shortfalls only after a claim arises.
20
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
B. Need to Negotiate Coverage
Negotiating enhanced coverage is a formidable challenge for insureds. First, as stated previously, a standard cyber liability insurance policy form does not exist. Cyber liability insurance policy forms vary significantly from one insurance company to the next. Some insurance companies offer, in addition to a general corporate form, different forms Obtaining Broad Coverage Does Not for financial institutions, health Necessarily Cost More care organizations, mutual funds and other specialized Many insureds are surprised to learn that adding endorsements and making markets. improvements to their coverage does Second, the frequency of new not often increase their premium. Some policy forms is increasing. Each insureds have added more than 60 new policy has new language enhancements to their policy without that may impact the coverage. any increase in the premium. Third, the meaning of policy language frequently is unclear. The movement for plain-English contracts has not been widely embraced by cyber liability insurers. Fourth, and perhaps most importantly, few buyers have a full appreciation of the many built-in pitfalls in standard policies. Until insureds have been through the complete cycle of working with an insurer – from negotiating policy terms, to making a claim and receiving a “reservation of rights” letter, to working through a coverage dispute – they cannot foresee many of the issues that an insurance company may raise to limit or deny coverage under a policy. For all these reasons, it is unrealistic for insureds to expect a risk manager who reviews one cyber liability insurance policy per year to obtain top coverage. And, unless a broker specializes in cyber liability insurance and is an attorney, it is nearly impossible for him or her to stay on top of all of the market changes and the endorsements offered by each insurer. Insureds should engage a team of professionals. Otherwise, what they save now, they may pay for many times over in the future.
21
C. General Recommendations for Buying Cyber Insurance Policies
1. Understand Your Risk
The first step in securing appropriate cyber liability insurance coverage is to understand the most significant risks facing the company. For some companies, the primary concern may be the costs resulting from the theft of personal financial information (e.g., notification costs, credit monitoring, etc.). For other companies, the main concern is the disruption of the business caused by attacks. Understanding what risks are most important to the company is absolutely essential to the process of securing the best coverage possible.
2. Understand Your Existing Coverage
As noted above, insureds may find coverage for a data breach or cyber claim in many different types of insurance policies. Knowing what your various insurance policies will and will not cover may significantly reduce the expense of a cyber liability insurance policy. For example, if you already have third-party coverage through an E&O policy, it may be possible to reduce the premium for a cyber liability policy by removing duplicate coverage or by purchasing lower limits.
3. Match Your Risk Transfer Needs to Your Cyber Liability Policy
Once you have an understanding of your risk transfer needs, it is important to find a cyber liability policy that most closely aligns with those needs. There is no point in paying for coverage that you do not need. Likewise, there is little point in purchasing coverage that does not cover your most important concerns. Only a thorough review of the policy options will determine whether a particular policy provides a good fit for your risk transfer needs.
4. Involve the Relevant Parties at the Company
One of the most common mistakes when purchasing cyber liability insurance is the failure to involve the relevant parties at the company in the key coverage decisions. For example, the risk manager may be very comfortable with the panel counsel requirement under the policy.
22
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
However, the general counsel may insist on using a non-panel firm for a particular claim. Using a non-panel firm may jeopardize the coverage or even void it altogether. This is a common issue for cyber liability policies because cyber liability policies often require the use of a pre-approved breach coach, public relations firm and law firm as a condition for coverage. Many companies are more proactive today in their approach to cyber risk and many have hired experts and legal professionals to assist them with their planning and crisis management needs. This may create significant issues if the company is not allowed to use the preferred expert or professional that it has a pre-existing relationship with simply because that expert or firm is not on the pre-approved panel. The time to learn about and resolve these potential issues is before the policy is finalized. Insurers are often much more willing to endorse a breach coach or law firm onto a policy at renewal or before the policy is purchased than to provide an exception at the time of the claim. In addition, the company will need to respond promptly to a breach and may not have time to seek an exception to the panel firm requirements after a breach is discovered. Beware the “Double Secret” Panel Counsel Requirement Some insurers will say that you may use whatever service provider that you want as long as their hourly rates are “necessary and reasonable.” That may sound attractive but it is often difficult to find a top service provider that will work for what an insurer thinks is “necessary and reasonable.” If your policy does not specify the service providers that you are required to use, we highly recommend that you endorse on your preferred service providers along with their agreed to hourly rates.
D. Negotiating the Coverage Grants
Understanding the coverage grants available along with what coverage you need is an important thing you can do to ensure that you have strong cyber liability coverage. There are many different coverage grants available and they go by many different names in different policy forms – thus, it is not an easy task to figure this out. Notwithstanding, here are some of the most common types of coverage grants:
23
• Loss Containment Coverage
• Third-party Liability Coverage
• Regulatory Defense and Penalties Coverage
• Online Media Liability Protection Coverage
• Network/Business Interruption Coverage
• Extra Expenses Coverage
• Data Loss and Restoration Coverage
• Cyber Extortion Coverage
• Computer Fraud Coverage
• Improper Electronic Transfer of Funds Coverage Coverage Tip Be sure that your policy covers information managed by third parties such as data handing, processing and storage companies, and cloud service providers. Often, companies assume that because they outsource these functions, they have no exposure and/or that their policies would respond if they are exposed. That is not always the case.
In addition to the types of coverage available, it is important to carefully review the actual coverage grants to make sure that you have the broadest coverage possible. The following are some examples of issues to consider when reviewing the coverage grants: • Some policies only cover certain types of “data” and/or limit coverage based on when and where it exists. • Many policies limit coverage to just electronic data. When possible, it is better to cover all types of data. • Be sure that loss caused by insiders/employees is covered. Some policies only cover loss caused by outsiders. • Make sure the coverage does not require “updated” software protections. This may artificially limit coverage for many companies. • Make sure that there is coverage for state-sponsored attacks. Many policies will limit coverage by adding an exclusion or limiting definitions.
24
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
E. Negotiating Key Definitions
Insureds often overlook the definitions in a cyber liability insurance policy. However, the definitions are what often determine the coverage. To illustrate this point, a few years ago, an insurer issued a policy with no exclusions. Of course, this did not mean all risks were covered by the policy. Instead, the insurer narrowly defined terms such as “Claim” and “Loss” to exclude the risks it did not want to cover. Given that there are myriad definitions in each cyber liability insurance policy, and that each may impact coverage, insureds should carefully review and negotiate the definitions in light of the insureds’ specific risk transfer needs. Some of the definitions that insureds should focus on are listed below.
1. Application
The definition of “application” is important because the application is the basis for coverage. If material information is omitted or misstated in the application, this may constitute application fraud, which could result in rescission of the policy. Consequently, it is in the insureds’ best interest to keep the definition as narrow as possible. Cyber liability policies often define the term “application” to include, in addition to the application form itself, any public document filed by the named insured with any federal, state, local or foreign regulatory agency at any time. This definition is overly broad and may have a devastating effect on coverage. Coverage Tip For example, an insurer should generally not be allowed to Directors and officers should take the rely on a document filed with time to review the application each the Securities and Exchange year. The application is the basis of the Commission (SEC) many years insurance contract and a careful review ago to deny coverage today. of the application may minimize the risk One way to limit this risk is of rescission later. to narrow the definition of application. By limiting the documents considered part of the application an insured may reduce the chance that irrelevant, old and potentially stale information could affect its coverage.
25
2. Claim
What constitutes a “claim” as defined by a cyber liability insurance policy is critical. It impacts the scope of coverage and triggers several obligations of the insurer and the insured. A claim is not limited to a lawsuit. It may include a written demand for monetary or other relief, a civil, criminal or administrative proceeding or investigation, or even a regulatory action. Although it is generally desirable to have a broad definition of claim, too broad a definition may be problematic. For example, some policy forms define “claim” to include both written and oral demands for monetary damages. The addition of an oral demand to the definition might seem like a desirable expansion of coverage. However, this addition may create coverage problems for the insureds. An insured who receives an oral demand might not recognize it as a claim and thus, may not report it to the insurer in a timely manner. No timely notice, no coverage. In addition, there is the problem of proof. Trying to establish what a disgruntled individual said to an officer of the company at a cocktail party three years ago and trying to determine if it constituted a reportable demand for monetary damages could be a difficult task. To avoid potential coverage issues, it is generally better for insureds to ask their insurer to delete oral demands from the definition of “claim.”
3. Insured Entities
The definition of “insured” may seem straightforward. However, the standard definition may omit key entities that the company intended to cover, and insureds may need to amend the definition to ensure that all appropriate entities have coverage. The term “insured” typically includes a named insured entity, its subsidiaries and certain insured persons. One example of how this definition may be lacking is that it does not clearly cover a debtor-inpossession. When a company files for protection from its creditors under Chapter 11 of the Bankruptcy Code, the company becomes a debtor-inpossession. A debtor-in-possession is considered a separate legal entity from the company despite the fact that many of the same directors and officers may still be involved in running the entity. The problem is that the definition above may not include a debtor-in-possession as an insured.
26
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
This could leave a serious hole in the company’s insurance protection. Fortunately, most insurers will amend the definition of insured to include a debtor-in-possession upon request. Another potential shortcoming of the standard definition of insured is that many companies are part of a complicated structure that may include parent and subsidiary companies, sibling companies, unrelated companies that work closely together or even share resources or work, joint ventures, for-profit entities and non-profit entities sponsored by a for-profit entity. When purchasing cyber liability insurance, a threshold question is what entities do the insureds want to insure? Do they all fit under the definition of insured? Often, insureds desire to insure the collective risk of some mix of companies, some of which have relationships more complicated than parent and subsidiary. In this case, it is critical that the company amend the definition of insured to include all entities that do not clearly fall under the standard definition. Finally, it is important to determine the correct entity to list as the named insured or parent company. Coverage in a cyber liability policy typically flows down from the named insured, but not up the corporate chain. If the named insured is the parent company, the policy should cover all of the parent’s subsidiaries. The reverse is not true. Sometimes companies name a subsidiary as the named insured for tax purposes or because the subsidiary is where most of the business risk lies only to find out later that, in doing so, the parent company lacks coverage. Since the parent company is often named in a lawsuit regardless of whether it was ultimately responsible for the alleged action, it is generally not advisable to use a subsidiary as the named insured.
4. Loss
The definition of “loss” is another important term in cyber liability insurance policies since there must be a loss for coverage to attach. Coverage of punitive damages may be an important reason for purchasing a cyber liability insurance policy, but the insurability of such damages varies between jurisdictions. To maximize the chances that punitive damages will be covered by the policy, the policy should have a “most favorable venue” provision that provides that the applicable law that most favors the insurability of punitive damages will apply when determining coverage.
27
Some jurisdictions may require a more specific most-favorable-venue provision, which limits the potential venues to those that have some relation to the claim and/or the insurance contract. Such a provision may state that the most favorable law of any of the following jurisdictions will apply to determine the insurability of punitive damages: (1) the location of the named entity’s headquarters or its principal place of business; (2) where the insurer is located; (3) where the alleged wrongful act took place; (4) where the claim is brought; or (5) any other jurisdiction that has a substantial relationship to the claim.
F. Negotiating Key Exclusions
The exclusions found in most cyber liability insurance policies fall into one of five main categories: • illegal/fraudulent conduct exclusions (e.g., illegal profits, criminal acts, fraudulent or intentionally dishonest acts, and medical malpractice, if proven) • other insurance exclusions for claims covered by other types of policies exclusions (e.g., claims for property damage, bodily injury and workers’ compensation) • timing exclusions for claims that belong on previous or subsequent policies due to timing issues (e.g., matters where the risk was noticed on another policy, the risk was known prior to the inception of the policy, or where the litigation had commenced prior to the inception of the policy) • insured vs. insured exclusion for claims that are potentially collusive (e.g., claims brought by or with the assistance of an insured)
• miscellaneous exclusions that are specific to cyber claims
28
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
1. Illegal/Fraudulent Conduct Exclusions
Most cyber policies include exclusions for fraud, intentional and illegal misconduct. How a policy determines whether a conduct exclusion applies, when that determination may be made, and who gets to make this determination are extremely important. For example, does the determination of whether an insured committed fraud have to be made by a court or can the insurer make the determination? Similarly, assuming a court must make Typical conduct exclusions exclude coverage for: the determination, • intentional dishonest acts or omissions must the court make • deliberate fraudulent acts or omissions the determination • deliberate criminal acts or omissions in the underlying action or may the • receipt of illegal profits insurance company • receipt of illegal remuneration bring a new and separate action to determine the alleged fraud after the fact? An action against the insured by its insurance company, coming right behind a class action, is a most unappealing prospect for many insureds. For this reason, many insureds prefer a “final, non-appealable adjudication in the underlying proceeding” standard. This standard provides insureds with the maximum coverage possible and requires a final, non-appealable adjudication by a court in the underlying action to establish that the alleged wrongful conduct occurred. Without such a final, non-appealable adjudication of wrongful conduct, the exclusion does not apply (i.e., there is coverage available from the policy). A less preferable alternative is an “in fact” determination. It is not altogether clear what constitutes an “in fact” determination or who gets to make that determination. However, it is certainly less than a final, nonappealable adjudication by a court and, therefore, less desirable from the perspective of providing the maximum coverage possible to the insureds. Of course, like many issues with cyber liability insurance coverage, providing the broadest coverage possible may make it possible for a “guilty” insured to dilute or exhaust the policy limit to the detriment of the other “innocent” insureds. As such, some insureds may prefer the “in fact” standard or some other hybrid of the “in fact” and final adjudication
29
standards. It is very important that the conduct exclusions only apply to intentional/fraudulent acts committed by the insureds. Intentional/ fraudulent acts by others should be covered.
2. Other Insurance Exclusions
Cyber liability policies contain a number of exclusions designed to ensure that risks that are more properly covered by a different type of insurance policy are not covered by the cyber liability policy. For example, most cyber liability policies exclude the following types of claims: • property damage and bodily injury claims, which may be covered by general liability insurance • workers’ compensation claims, which may be covered by workers’ compensation insurance • employment practices claims, which may be covered by employment practices liability insurance • losses related to the environment, which may be covered by environmental liability insurance • ERISA claims, which may be covered by fiduciary liability insurance In order to guard against gaps in coverage between policies, it is important to negotiate each of these exclusions so that they are as narrow as possible. The following are some examples of how these exclusions need to be negotiated. Bodily Injury / Property Damage Exclusion Some policies exclude coverage for any claim “arising out of, based upon or attributable to” property damage and bodily injury. This is too broad. Instead, the quoted language should be replaced with the word “for.” This addresses the situation when there is an injury, which is followed by a secondary lawsuit claiming a failure to supervise. A company’s general liability policy might cover the direct liability associated with the injury, but it may not cover the subsequent lawsuit. With the change to “for,” the company’s cyber liability insurance policy could provide coverage.
30
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
The bodily injury/property damage exclusion should also include a carve back clause for mental anguish, emotional distress and shock caused by a cyber event. Many plaintiffs will allege these types of damages after a breach. Many insurers will only provide this coverage upon request. Employment Practices Exclusion
Coverage Tip At least one insurer has offered coverage for cyber-related bodily injury and property damage liability. For example, where a virus shuts down a computer system and that shut down causes bodily injury. This type of coverage may be more important if the “standard” general liability policy adds exclusions for cyberrelated claims as is expected.
Cyber liability policies often exclude coverage for employment practices claims. If your policy has such an exclusion, you need to make sure that there is a carve back clause for employment claims alleging privacy violations caused by a data breach. ERISA Exclusion Similar to the employment practices exclusion described above, a strong cyber liability policy will have a carve back clause to the ERISA exclusion for claims alleging damages caused by a data breach of the insured’s employee benefits program.
3. Timing Exclusions
As discussed above, most cyber liability insurance policies are written on a “claims made” basis, making timing critical to the determination of coverage. To emphasize this point, most cyber liability policies will contain several timing exclusions. The three most common of these exclusions are: (1) the prior notice exclusion; (2) the pending and prior litigation exclusion; and (3) the prior acts exclusion. In order to obtain maximum coverage, an insured should negotiate each of these exclusions.
31
(a) Prior Notice Exclusion
A typical prior notice exclusion excludes any claim arising out of, based upon, or attributable to any facts or circumstances alleged or contained in any claim that was previously reported by the insured under a previous insurance policy. The risk with this exclusion is that an insurer may reject a reported claim. In these situations, the insured may be left without coverage. As such, insureds should attempt to negotiate language that states that only those claims that are previously reported and covered by a previous insurance policy will be excluded by the new policy.
(b) Pending and Prior Litigation Exclusion
A typical pending and prior litigation exclusion excludes any pending or prior litigation and any new litigation that is based upon the same or essentially the same facts or circumstances as any pending or prior litigation. The intent of this exclusion is to ensure that the insurer is not tricked into insuring a “burning building.” Insureds should consider asking the insurer to remove this exclusion or to limit the scope of the exclusion so that only litigation known to a select control group of insureds (e.g., the CEO, CFO and general counsel of the named insured), will be excluded from coverage.
(c) Prior Acts Exclusion
A typical prior acts exclusion excludes coverage for any claims based upon wrongful acts that occurred prior to a certain date – often the inception date of the policy. Given the claims made nature of the cyber liability insurance policy, a prior acts exclusion has the potential to strip the cyber liability policy of all or most of its value and insureds should avoid such an exclusion whenever possible. This can be extremely problematic in the cyber context because cyber-criminals and hackers may install spyware, viruses and other malware long before a breach is discovered. If the cyber policy considers the intrusion date as the date of the wrongful act, a business may end up with no coverage for a breach that is discovered after the policy has incepted. For this reason, businesses should make every effort to avoid prior acts exclusions whenever possible.
32
# of Months Before Hackers were Detected
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Because hackers often have access to computer systems for months before they are detected, full prior acts coverage is important.
4. The Insured vs. Insured Exclusion
In the mid-1980s, many insurers added an “insured vs. insured” exclusion to D&O and other types of management liability insurance policies to bar claims brought by or on behalf of one insured against another insured. The purpose of the exclusion is to avoid covering collusive, intercorporate disputes. For example, prior to the addition of the exclusion, a large financial institution filed a lawsuit against certain of its loan officers and then turned the loss over to its D&O insurer. By doing so, the insured essentially converted its D&O policy from a third-party liability coverage into a policy that could cover first-party business risk. While there is clearly a need for an insured vs. insured exclusion in the example above, many insured vs. insured exclusions cast too broad a net and may severely impair much needed coverage. Many cyber liability insurers will agree to “carve out” certain claims for various reasons including for the following:
33
• failure to protect confidential information
• failure to disclose a breach event in violation of law
• the unintentional failure to comply with the insured’s privacy policy
• violations of privacy statutes
Often these carve backs only relate to a specific coverage grant so it is important to review each coverage grant separately.
5. Miscellaneous Exclusions for Cyber Coverage
Mechanical / Electronic Failure Exclusion The mechanical/electrical failure exclusion removes coverage for claims caused by a mechanical shut down such as when your computer stops working. This exclusion needs to be limited so that if a cyber-criminal causes the mechanical failure or shut down by means of a virus, spam attack, etc., the policy may respond. Acts of War, Invasion and Insurrection Exclusion Many cyber policies exclude coverage for claims involving acts of war, invasion, insurrection, terrorism, etc. Including terrorism in this exclusion can be problematic in the cyber context as almost all cyberattacks could be considered acts of terrorism whether foreign or domestic. This is especially true for businesses that may be attacked by a nation-state entity. A strong cyber policy should not reference terrorism in this exclusion. Laptop Exclusion Many insureds are surprised to learn that cyber liability policies generally exclude coverage for portable electronic devices such as laptop computers or cell phones. Obviously, this can severely limit the coverage provided by a cyber policy. Fortunately, many insurers will remove this exclusion if a business agrees to provide “satisfactory” encryption for any data contained on the portable devices – something most businesses do already.
34
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Patent, Software, Copyright Infringement Exclusion Some cyber liability policies will cover infringement claims caused by non-management employees or outside third-parties. Insureds should attempt to negotiate these carve backs if possible. 6. Exclusion Severability In order to make sure that the acts of one insured person do not impact coverage for other, innocent insureds, a cyber liability insurance policy should contain an exclusion severability provision. An exclusion severability provision states that no wrongful act committed by any one insured shall be imputed to any other insured for purposes of determining the applicability of any of the exclusions.
G. Negotiating Key Terms and Conditions
1. Application Severability Provision
Absent an “application severability provision,� if any insured had knowledge of a fact that was misstated in the cyber liability insurance application (regardless of whether the insured knew the fact was misstated in the application), coverage under the policy could be voided for all insureds. A strong application severability provision ensures that the knowledge of an insured who knew of facts that were misrepresented in the application could not be imputed to any other insured for the purpose of determining whether coverage is available under the policy.
2. Rescission
Rescission is the act of completely voiding a policy due to a fraud or misrepresentation in the application for insurance. Rescission eliminates all coverage for all insureds back to the inception date of the policy. Fortunately, rescinding a cyber liability insurance policy is not an easy task. Although the exact requirements vary by state, before an insurer can rescind a policy the insurer must generally prove that there was a material misrepresentation in the application for insurance and that the insurer relied upon that misrepresentation when underwriting the risk.
35
Since the insurer bears the burden of proof in establishing these elements, it will typically have to bring a successful lawsuit against its insured before it may rescind its policy. For many reasons, this is not something insurers want to do except in the most egregious of situations. For this reason, among others, many insurers today will provide nonrescindable coverage upon request. However, insureds must be very careful here as some non-rescindable endorsements may actually make it easier for insurers to deny coverage. For example, some endorsements make the policy fully non-rescindable but then allow the insurer to determine whether there was a material misrepresentation in the application or whether the insurer relied upon such a misrepresentation. This type of language shifts the burden of disproving the insurer’s position to the insured. Thus, instead of having to go to court to prove that there was a material misrepresentation and reliance on that misrepresentation, the non-rescindable endorsement allows the insurer to simply deny coverage for the claim. To dispute the insurer’s position, the insured must then bring the lawsuit, and bear the burden of proving that it did not make a misrepresentation in the application and/or that the insurer did not rely on the alleged misrepresentation. For many insureds, such a provision would be less favorable and should be avoided. This is an area where a review by a cyber liability insurance expert may be extremely helpful.
3. Forced Settlement / Hammer Clause
A forced settlement or “hammer” clause provides that if the insurer agrees to fund a settlement within the policy limit but the insured rejects the settlement, the insurer’s liability is capped at the amount of the rejected settlement plus any defense costs incurred up to that date. Insurers include this provision in their cyber liability policies to prevent insureds from fighting on principle with the insurers’ money. By forcing a settlement, the insurer is essentially saying that if the insured wants to continue to fight, it should bear the risk of a less favorable resolution to the case. While this may sound reasonable, there are many reasons why such a clause may be problematic. The following are some examples of how a hammer clause may be unfair:
36
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Example 1: The insured is defending a claim where, if the case goes to trial, there is a 90% chance that the case would be resolved for $25,000 or less but there is a 10% chance that the loss could be as much as $300,000. The plaintiff makes an offer to settle the claim for $250,000 (the amount of the policy’s applicable retention). Using the hammer clause, the insurer “recommends” settlement to force the insured to accept the $250,000 settlement so that the claim could never reach the insurer’s policy limit. Such a result is unfair since the insurer is forcing the insured to pay more than the claim is worth. To avoid this risk, the hammer clause must be limited so that the insurer may only enforce the hammer if the settlement exceeds the self-insured retention of the policy and/or the insurer is willing to fully fund the settlement. Example 2: The plaintiff offers to settle a claim on the following terms: Company X pays $5 million and the insurer pays $1 million. Again, the insurer would have an incentive to “recommend” this settlement in order to limit its exposure. However, forcing the insured to accept this offer is unfair. To avoid this risk, the insurer should be required to fully fund any proposed settlement before it may use the hammer. Example 3: The plaintiff offers to settle a claim with a nominal payment of $1,000, but the company must agree that it will no longer engage in a particular type of business practice. Clearly, enforcing the hammer clause without consideration of the value of discontinuing the business practice at issue is unfair. To ensure that an insurer cannot force this type of settlement, the hammer clause should be limited so that it may only apply if all damages are compensatory in nature. Example 4: Finally, consider a situation in which settling a lawsuit would require an admission of wrongdoing or would encourage other lawsuits. The cost of subsequent settlements could exceed the policy limit and the policy might not provide coverage.
37
To avoid these problems, insureds should request that the insurer remove the hammer clause from the policy. If an insurer will not delete the hammer clause, the clause should be limited so that it only applies: (1) if the settlement exceeds the self-insured retention; (2) the insurer is willing to fully fund the settlement, including the retention; (3) the settlement only involves compensatory damages (i.e., there is no non-monetary relief required by the settlement); and (4) the settlement has no potential impact on other pending or expected cases against the insured. Insureds should also insist that their insurer “soften the hammer” so that the insured would only be liable for a small percentage above any settlement recommended by the insurer (generally, insurers will agree to reduce the co-insurance from 50/50 to 90/10 or 80/20 upon request).
4. Cancellation Clause
The cancellation clause in a cyber liability insurance policy establishes when an insurer may cancel its policy. Many cyber liability insurance policies allow the insurer to cancel a policy for any reason or for no reason at all. Obviously, insureds would not want their cyber liability insurance policy cancelled by an insurer that senses serious claims are coming (e.g., when an insurer fears a data breach will be coming in the near future). Many states have attempted to address this problem by requiring that all policies issued in their state include a “state amendatory endorsement,” which limits how and when an insurer may cancel its policy. Unfortunately, few states have kept up with changing market conditions and insurers are often willing to provide more protection against cancellation than a state requires in its mandatory endorsement. In fact, many of the mandatory state endorsements actually reduce coverage for insureds today rather than increase it. State laws on cancellation were intended to protect insureds by providing a minimum, not a maximum, amount of protection. To be sure that a cyber liability insurance policy has the broadest protection against cancellation possible, insureds should negotiate their cyber liability insurance policies so that:
38
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
(a) the cyber liability insurance policy only allows the insurer to cancel coverage if the company fails to pay the premium when due; and (b) if the cyber liability insurance policy has a state required endorsement that limits when the insurer may cancel coverage, it must also have a state amendatory inconsistent endorsement, which states that, to the extent permitted by law, where there is an inconsistency between a state amendatory endorsement and any term or condition of the policy, the insurer shall apply the terms and conditions of either the amendatory endorsement or the policy that are more favorable to the insured.
5. Notice / Claim Reporting Provisions
Failure to give timely notice of a claim is a common reason insurers deny coverage for an otherwise covered matter. To avoid a denial of coverage, insureds should become very familiar with the reporting requirements of their cyber liability policies. The notice provisions in cyber liability policies can differ dramatically. The following are some of the many types of reporting requirements that exist: Claims must be reported as soon as practicable within the policy period This is the traditional Coverage Tip claims made and reported language – Even if a late-reported claim is ultimately and it is undesirable. accepted by an insurer, most insurers will The problem with this not cover any expenses incurred prior to language is that the policy the date the notice was received. Thus, will only cover a claim made the day before the insureds are well served to notice claims policy is about to expire as soon as they become aware of them. if the insured reports that claim before the policy expires. This puts an unreasonable burden on the insureds. This language also requires the insured to report a claim made early in the policy period as soon as practicable.
39
This could leave an insured without coverage for a claim even if the claim was reported within the policy period. Claims must be reported within 30 days Some insureds require that a claim be reported within a set period of time (generally within 30 to 90 days of when the claim was made). This language is also undesirable. Although it does soften the reporting requirement so that an insured could report a claim after the policy expiration date (a good thing), claims made early in a policy period could still be considered late if they were reported within the policy period. Claims must be reported within the policy period but a claim made in the last 30 days may be reported for 30 days after the policy expires This language softens the potentially harsh requirements in the previous provisions. It allows an insured to report a claim that comes within the last 30 days of the policy period for 30 days after the policy expires – relieving the unrealistic requirement that a claim made on the last day of the policy period be reported before the policy expires. It also allows an insured to report claims made early in the policy period at any time within the policy period, reducing the chances of a late notice. Claims are accepted as long as the insurer is not prejudiced by the late notice Some insurers now offer to cover a late noticed claim unless the insurer was actually and materially prejudiced by the late notice. This is generally the best option for insureds when available. In addition to the timing issues above, insureds should also seek to limit the insured persons whose knowledge will trigger the reporting requirements. Because the typical notice provision applies to all insureds and many of the insureds may not fully understand the cyber liability insurance reporting requirements, it is best to limit the reporting trigger to when the risk manager or general counsel of the named insured first learns of the claim.
40
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
For example, one insurer provides as follows: “An Organization or an Insured shall, as a condition precedent to the obligations of the insurer under this policy, give written notice to the Insurer of a Claim made against an insured as soon as practicable after the Named Entity’s Risk Manager or General Counsel (or equivalent position) first becomes aware of the Claim, but in all events no later than either: (a) the end of the Policy Period or the Discovery Period (if applicable); or (b) within 30 days after the end of the Policy Period or the Discovery Period (if applicable), as long as such Claim was first made against an Insured within the final 30 days of the Policy Period or the Discovery Period (if applicable).” The need to negotiate the notice provision was recently highlighted by a court decision in which the insurance policy contained the “as soon as practicable” requirement. The insured company failed to update its address with the state. Thus, it did not become aware of a complaint that was served by notice to the secretary of state until months later. Although the company promptly notified its insurers after it discovered the complaint, the insurers denied coverage on the basis that they did not receive notice as soon as practicable after the claim was made. The Second U.S. Circuit Court of Appeals agreed, finding that the insured could have “practicably” changed its address on file with the secretary of state and that the insured’s notification of the lawsuit almost eight months after service of process was sent to the secretary of state was not “as soon as practicable.” Briggs Ave. L.L.C. v. Insurance Corp. of Hannover, 550 F.3d 246 (2d Cir. 2008). Finally, insureds should insist on an email reporting option.
H. Negotiating Excess Policies
Most cyber liability insurance programs with more than $10 million in limit will require an excess “follow form” policy. Despite their name, few excess policies truly follow the terms and conditions of the primary insurance policy. Instead, most excess policies will add various terms
41
and conditions that have the potential to significantly impact the overall protection provided by the Cyber Insurance program of insurance.
Coverage Tip Many insurers use a D&O excess policy form as their excess form for their cyber liability placements. This may create unique coverage issues that should not be ignored. Insureds are well advised to review the excess policies to avoid unintended coverage gaps.
Notwithstanding the potential impact that these added terms and conditions may have, excess policies are often wholly neglected. Insureds fail to analyze or negotiate their excess policies for many reasons. Sometimes, they just assume the excess policies are all the same and they just pick the cheapest one. Often, they just run out of time to deal with the excess policies as the renewal date approaches. This makes little sense because, once the limit of liability of the primary policy is exhausted, the excess policies will be very relevant to whether a claim will continue to be paid. In fact, in a large insurance program, the excess policies often constitute the vast majority of the limit of coverage. The following are just a few examples of how the failure to review and negotiate an excess policy may result in a loss of coverage:
1. Attachment / Exhaustion
Perhaps the most important provisions in an excess policy are those that determine when that policy will begin to provide coverage. This is referred to as the “attachment” or “exhaustion” point. Some excess policies state that the excess insurer’s liability for any covered loss will attach only after the insurers of the underlying policies have paid for loss equal to the full amount of the underlying limit. Such a provision could be interpreted to mean that payments by the insureds (or another source such as a Side A policy) to settle coverage disputes would not count toward the exhaustion of the underlying limit of liability. In fact, this is exactly what happened in Qualcomm, Inc. v. Certain Underwriters at Lloyd’s, London, 161 Cal. App. 4th 184, 73 Cal. Rptr. 3d 770 (Ct. App. 4th Dist. 2008). Qualcomm had a $20 million primary policy with AIG and an excess policy with Lloyds of London (Lloyds). In resolving the underlying
42
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
lawsuit, Qualcomm incurred $28.6 million in defense and indemnity costs. In seeking insurance funding for the loss, Qualcomm settled a coverage controversy with AIG so that AIG paid $16 million of its $20 million limit. Qualcomm then sought to recover $8.6 million from its excess insurer Lloyds (Qualcomm was willing to absorb the $4 million in costs between the $16 million paid by AIG and the $20 million limit). Lloyds refused to pay any of the excess loss based on its attachment/exhaustion provision. This provision stated that the “Underwriters shall be liable only after the insurers under each of the Underlying Policies [i.e., the AIG policy] have paid or have been held liable to pay the full amount of the Underlying Limit of Liability.” Qualcomm sued and the court held in favor of Lloyds. According to the court, since AIG did not pay its full $20 million limit and since AIG was never held liable to pay the limit, the terms of the exhaustion provision in the Lloyds policy were not met and Lloyds would not be required to pay any amounts to the insured. As the Qualcomm case Beware of Sub-limits of Coverage demonstrates, strict attachment/ exhaustion provisions have Some insurers continue to label coverage the potential to gut coverage. grants as “sublimits of coverage” even To avoid this unfair result, when the full policy limit is applicable. insureds need to negotiate This can be a problem if the excess policy excess insurance policies so that states it will not follow any sublimits of they recognize payments made coverage listed in the primary policy. by the insureds, as well as any other source. An example of such a provision might provide that “Underwriters shall be liable only after the insurers of each of the Underlying Policies and/or the Insureds and/or any other source have paid or have been held liable to pay the full amount of the Underlying Limit of Liability.” Insureds should be wary of variations of the above recommend language. For example, some insurers will offer a “shaving of limits” provision. Such a provision states that the excess insurer will attach once the underlying limit has been paid by the underlying insurers and/or the insureds, but that the excess insurer will receive the benefit of the underlying negotiations and will pay no greater a percentage of the excess limit than the lowest percentage paid by any underlying insurers. In other words, if the underlying insurer paid only 80% of its limit, the excess insurer would only have to pay 80% of its limit.
43
The problem with this solution is that there may be a reason to give a “discount� to an underlying insurer that does not exist with an excess insurer. For example, what if the reason for giving a discount to the underlying insurer is that the underlying policy had a different choice of law provision than the excess policy? In such a case, the reason to give a discount to the underlying insurer would not exist with the excess insurer. As such, it would be unfair for the excess insurer to benefit from the discount. Similarly, if the reason for the discount to the primary layer was due to a defense cost issue, an excess layer that is paying only liability should not receive the same discount.
2. Arbitration Provision
Some cyber liability insurance policies require disputes between the insured and the insurer to be resolved by arbitration (as opposed to litigation). Many insureds consider this a problem as they would prefer to have the option to litigate coverage disputes, since litigation tends to be more insured friendly than arbitration. This issue may be even more problematic in large insurance programs that require multiple insurers to build the total limit of coverage. Large insurance programs may have multiple and potentially inconsistent arbitration provisions. This type of inconsistency could force an insured to fight multiple battles on multiple fronts with potentially inconsistent results. For example, in one program, the primary policy required AAA arbitration and applied the laws of the state of Florida. The first excess policy required UNCITRAL arbitration rules and applied the laws of Bermuda. A higher excess policy required controversies to be resolved in London under the Arbitration Act of 1996. In addition to applying different laws to any controversy, each of these arbitration provisions required the dispute to be heard in different locations. This type of inconsistency could force an insured to fight multiple battles on multiple fronts with potentially inconsistent results. Clearly, this is not what an insured wants from its insurance program.
44
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
To avoid this result, an insured should attempt to remove all arbitration requirements from its policies. If this is not possible, an insured should seek to have all of the insurers agree to one arbitration method with only one choice of law provision to resolve any potential coverage disputes. Which law is chosen and which jurisdiction should be specified as the judicial “seat” of the arbitration is likewise a matter of significant concern; counsel experienced in such matters should be consulted.
3. Appeals Provision
Some cyber liability insurance policies allow an excess insurer to appeal an adverse judgment against an insured even if the insured has no desire to appeal. One reason an insurer may want to appeal a matter is if the insurer believes the jury awarded unreasonably high damages and that such damages might be reduced on appeal. By appealing the judgment, the insurer may be able to reduce its losses. The insured, on the other hand, may have no desire to appeal the jury award, especially if the insurer is fully covering the loss. Instead, the insured may prefer to leave the matter resolved and remove the distraction of the litigation. Coverage Tip Taking the time to review and negotiate excess policies is essential. Insureds that fail to do so may discover that they have unfavorable provisions in their excess policies that may result in a loss of coverage in a claim situation. Since most excess insurers are willing to make the changes discussed above (and other significant changes) upon request and for no additional premium, insureds must take an active role in reviewing and negotiating their excess policies. Perhaps the most troubling aspect of an appeal provision, is that most appeal provisions do not make the insurer responsible for any additional losses above the insurer’s policy limit incurred as a result of the appeal. Thus, if instead of reducing the jury award on appeal, the case is remanded and the new jury returns an even higher award – one that exceeds the insurer’s policy limit – the insured could potentially be required to pay for the increased award. To avoid this result, an insured should negotiate to delete the appeals provision from its program.
45
VI. SELECTING THE “RIGHT� POLICY LIMIT, RETENTION AND INSURER Price is important when selecting the right cyber liability policy limit, retention and insurer. However, price is only one factor to consider and it is usually the least reliable factor in determining the right policy limit, retention or insurer. Companies cannot leave to chance whether this multi-million dollar asset will protect them in the event of a data breach/claim. Companies that assume that they are protected just because their company has cyber liability insurance may find out the hard way that their protection is inadequate. By taking the time to consider the right policy limit, retention and insurer for your risk transfer needs, companies may greatly improve the chances that their cyber liability policy will protect their company when they need it most.
A. Selecting the Right Policy Limit
There is no fool-proof way to determine the perfect amount of cyber liability insurance to purchase for any particular year. That said, there are many factors that may inform insureds as to the proper amount of insurance they need to feel protected:
1. Claim Studies
Perhaps the most scientific way to determine the appropriate cyber liability insurance limit is to consider a claims. These studies consider the mean and average settlement values for breaches compared to the number of records that may be jeopardized in the event of a breach. While these studies can be informative, they do have limitations.
46
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Measuring the Cost of a Cyber Breach in 2016 • The average cost of a data breach was $665k. The median total breach cost was $60k. • The average claim payout was $495k. The median claim payout was $49k. • The average cost for Crisis Services (forensics, notification, credit monitoring, breach coach, etc.) was $357k. The median costs was $43k. • The average legal fees were $130k. The median legal fees were $16k. • The average PCI fine was $462k. The medial PCI fine was $58k. • The average cost for legal settlement was $815k. The median settlement was $250k. • The average number of records lost was 2.04 million. The median was 1,339. • The average cost per-record was $17k. The median cost per-record was $39.82. NetDiligence 2016 Cyber Claims Study
2. Benchmarking Studies
Benchmarking studies provide an insured with information about what limit the insured’s peer companies are purchasing. Again, this may be helpful, but there is no guarantee that the insured’s peer companies are purchasing the right limit. Moreover, such studies are typically limited to one broker’s experience, which may or may not include a statistically significant sampling of peer companies.
3. What the Directors Want
Sometimes, directors or officers will insist on a certain amount of insurance regardless of any claim studies or benchmarking data. Failure to provide the desired limit may mean that the company will be unable to attract or retain directors or officers.
4. What the Insured Can Afford
What the insureds can afford is another very real factor in determining what limit insureds should purchase.
47
5. Public Perception
Some companies fear that a high cyber liability insurance limit may attract lawsuits and/or increase the size of settlements. Most studies do not support this conclusion.
6. Defense Costs
When deciding the appropriate limit to purchase, insureds should also consider that defense costs are usually (but not always) included within the limit of liability. Thus, insureds also need to factor in the cost of defending a lawsuit when determining the appropriate limit. Coverage Tip It is important to make sure that you have enough insurance coverage to properly defend against claims. Increasingly, $1 million in coverage is simply not enough to cover a proper defense. Insufficient limits may force an insured to settle a claim it would prefer to contest and may result in personal liability for the directors and officers.
B. Selecting the Right Retention
Selecting the right retention is a complicated decision. Generally, an insured should select a retention that is above what it takes to resolve a typical cost of doing business claim, but below the point where satisfying the retention would have a significant negative impact on the insured’s operations. Within that range, the insured must balance the premium cost of a policy with the lower retention amount against the premium cost of a policy with a higher retention amount. One thing to keep in mind is that retentions rarely go down. Thus, moving to a higher retention will likely be a permanent choice.
C. Selecting the Right Insurer
Beyond the limit and retention, selecting the right insurer for a program is vitally important. Here are some factors to consider:
48
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
1. Terms and Conditions
Perhaps the most important factor to consider when deciding which cyber liability policy to purchase is the terms and conditions of the policy itself. Terms and conditions in cyber liability policies are not standard and different insurers have different philosophies about what type of claims they are willing to cover. An insured who saves a few dollars in premium by selecting an inferior policy may find they were “penny-wise but poundfoolish.”
2. Claims Handling
Never forget that you purchase a cyber liability policy to pay claims. Different insurers handle claims very differently. Before deciding to purchase a cyber liability policy, it is important to know the insurer’s reputation for paying claims. Insureds may also find it helpful to know whether the insurer has its own experienced claims staff or whether it uses outside law firms for its claims. Insureds with a global footprint may also want to consider whether their insurers have claim people in the relevant jurisdictions. Knowledge of local laws and customs may be very valuable in a claim situation.
3. Financial Ratings
The financial strength of an insurer is important. One way to determine the financial strength of a company is to consider its rating from A.M. Best or a similar rating agency.
4. Longevity in the Industry
Some insurers try to time their entry and exit from particular areas of insurance to coincide with the hard and soft market cycle. While such an insurer may be able to offer lower prices during “good times,” it is typically better for an insured to work with an insurer who will remain in the market in both good and bad times. Insurers that are committed to a line of coverage typically understand the relationship between the insurer and insured is an important part of the coverage.
49
VII. CLAIMS HANDLING The true test of an insurance program is how it responds to a claim. Starting with the decision of whether to put insurers on notice of a cyber liability claim or a circumstance and continuing through the structuring of a settlement agreement, insureds get better results when they take an active role in the claims process.
A. Reporting a Claim
1. Timing
A claims made and reported policy, by definition, requires that a claim be properly “noticed� during the policy period. A strict reading of this language means that: (1) a claim that arises a few days before a policy expires must still be reported before that policy expires for coverage to attach; and (2) a claim that occurs in the first few days of a policy may still be covered even if it is not reported until just before the policy expires. Insurers take this timing requirement very seriously. For example, in Westrec Marina Management., Inc. v. Arrowood Indemnity Co., 163 Cal. App. 4th 1387, 78 Cal. Rptr. 3d 264 (Ct. App. 2d Dist. 2008), an insured received a claim letter seven days before its insurance policy was to renew with the same insurer. The insured failed to report the claim until the new policy period and the insurer denied coverage. The court Coverage Tip upheld the insurer’s denial Do not forget to provide notice to each explaining that the insured of the excess insurers on the program. did not properly make the Failure to notice all of the excess insurers claim during the first policy period since the insured may result in a loss of coverage. failed to report it within the allotted time set forth in the first policy. Further, the claim was not proper under the new policy since the claim was not first made during that first policy period. As previously discussed, some cyber liability insurance policies attempt to soften the strict timing requirements by allowing claims to be reported as soon as practicable or as soon as practicable but in no event more than 30 days after the claim is made. This type of language may create a mini-
50
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
tail reporting period that Coverage Tip allows a claim that occurs Most management liability policies are shortly before the policy written on a claims made basis. To avoid expires to still be reported in a timely fashion after late notice issues, insureds should notice all the policy expires. On potentially relevant policies at the same time the other hand, this type (e.g., D&O, EPLI, FI, Crime, CGL, etc.). of language may exclude coverage on a claim that is not reported within the window set forth in the policy even if the policy has not yet expired. Regardless, given the obvious importance of ensuring a claim is reported in the appropriate time frame, it is vitally important that a company have a well-defined system in place for claims to be forwarded to the company’s risk manager or general counsel and, ultimately, its insurer. Failure to provide clear direction to company managers may result in a delay in reporting and, in turn, a dispute or even a denial of coverage by the insurer.
2. Details
Once it is clear that notice of a claim or circumstance should be sent, it is important to ensure that proper notice is given. For a claim, it is generally necessary to forward the written demand for relief to the insurer. When noticing circumstances, the cyber liability insurance policy may require a description of: (1) the “wrongful act” Coverage Tip or circumstance; (2) the Different insures on the same cyber liability nature of the “wrongful insurance program may have different notice act”; (3) the nature of requirements. To obtain coverage from all the alleged or potential damage; (4) the names layers, it is important to notice each insurer of actual or potential and follow the reporting requirements of each claimants; and (5) how excess insurance policy. the company first became aware of the claim or circumstance. The policy will also state where the insured should send the notice. The insured should send all insurers (primary and excess) notice of any claim or potential claim even if the insured does not expect the claim to exceed the primary insurer’s limit.
51
3. Deciding to Report a Claim
Generally, reporting a claim under a cyber liability insurance policy is not discretionary. Thus, even if a claim does not appear to have any merit or is unlikely to exceed the company’s deductible or retention, the insured should still normally report it promptly. That said, some companies are concerned that reporting such claims may potentially result in higher premiums and/or less favorable coverage when the policy is renewed and will either not report or defer reporting the claim. However, the claims made requirement of a cyber liability insurance policy does not afford a company the luxury of waiting to gauge the severity of a claim. Failure to promptly report a claim may result in an insurer denying coverage even if the claim later develops into a more substantive and insurable risk. This risk may be significant as a claim that appears small or without merit may, nonetheless, result in large legal costs and/or liability. Hence, it is advisable to report all claims that are likely to fall within the ambit of coverage afforded by the cyber liability insurance policy and disregard any commercial consideration in connection with the claims reporting decision.
B. Defending a Claim
Most cyber liability policies are now written on a “duty to defend” basis. This means that the insurer (not the insured) controls the defense and claim strategy. Decisions such as which law firm to use, whether and how to defend a claim, and on what terms a claim should be settled are determined by the insurer in this type of policy. There may be some real benefits to a duty to defend policy for the right insured. The fact is that many smaller companies are not set up to handle a data breach or other cyber-related claims on their own. Having access to known and vetted experts and professionals in the cyber/data breach fields may save an insured time and money, and may reduce losses or even help prevent future losses from occurring. However, more sophisticated insureds may be uncomfortable with a duty to defend arrangement – especially when their companies’ reputations are on the line. For these insureds, a non-duty to defend policy is better because it gives the insureds more control of the defense of the claim. However, this additional control comes with insurer oversight. The non-
52
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
duty to defend policy also requires the insureds to obtain the insurers’ consent prior to incurring defense costs and/or agreement to a settlement. Failure to obtain that consent may leave insureds responsible for paying all or a portion of their expenses. In short, although the insured controls the defense, the insured must still work with its insurers if it hopes to have its expenses covered by the insurance policy. Companies that have retained their own computer or forensic experts and legal professionals to review and/or vet their computer systems, apps and related services may also prefer a non-duty to defend policy. Typically, companies that have retained their own experts in the past will want to use those experts in the event of a claim. However, some cyber policies will only provide coverage if the insured company uses one of the experts or professionals included on the policy’s “panel list.” This can be extremely frustrating to insureds. Using a non-panel firm may jeopardize the coverage or even void it altogether. Perhaps the best option, is a policy that allows the insured to choose whether it wants to run the defense for any particular claim. Many insurers today will allow the insured to choose whether any particular claim will be handled on a duty to defend or a non-duty to defend basis. Beware the “Double Secret” Panel Counsel Requirement Some insurers that offer non-duty to defend coverage will say that the insured may use whatever service provider it wants as long as the service provider is qualified and its hourly rates are “necessary and reasonable.” That may sound attractive, but it is often difficult to find a top service provider that will work for what an insurer considers “necessary and reasonable.” In a recent coverage dispute, the insured had three quotes from service providers – the least expensive provider charged $600 per hour. The most the insurer would approve is $209 per hour. The business could not find a service provider that would work for $209 per hour, so it had to either use the firm recommended by its insurer or pay the difference between what the insurer was willing to pay and the amount the qualified vendors it found were willing to charge. This is essentially a secret panel counsel since it is not disclosed and the only vendor willing to work for the amount the insurer considered “reasonable” was the vendor the insurer had pre-selected.
53
To avoid this situation, it is crucial that businesses negotiate specific service providers, including hourly rates, onto their policies in advance of a claim.
C. Reservation of Rights Letters and Other Insurer Responses
1. Reservation of Rights Letter
Shortly after an insured reports a claim, the insurer will typically respond with a “reservation of rights” letter. This letter will discuss potential coverage issues raised by the nature of the claim and will explain why the claim may not be covered. Because an insurer is often deemed to have waived any issues that are not raised in a reservation of rights letter, many reservations of rights letters are extremely broad. Although a reservation of rights letter is obviously for the insurer’s benefit, it should not necessarily create an adverse relationship between the insurer and insured. It is the insurer’s initial response, not its final decision on coverage. The reservation of rights letter may be useful to the insured because it provides an early indication of the insurer’s position. It also allows the insured to take necessary steps to protect its potentially uninsured interests. 2. Denial of Coverage Letter An insurer may also deny coverage if the claim appears to be outside the scope of coverage provided by the policy or if the insureds have not complied with the terms and conditions of the policy. In many jurisdictions, a denial or disclaimer letter will effectively terminate the obligation of the insured to keep the insurer informed of claim developments. Notwithstanding whether a duty exists, however, it may be wise to continue to keep the insurer informed of case developments as later developments may alter the insurer’s coverage position. In addition, keeping the insurer apprised of developments may assist the insured if the coverage dispute is later litigated.
3. Duty to Keep the Insurer Informed and Other Duties
Most cyber liability insurance policies impose a duty to cooperate and to provide such information as the insurer may reasonably require. Assuming that the insurer does not deny coverage at the outset, it is incumbent upon the insured to keep the insurer informed of significant developments
54
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
as they occur. Generally, this means that the insured must forward copies of pleadings, settlement demands and significant court orders to the insurance company. The insured’s defense counsel may also be required to provide periodic updates or case status reports to the insurer. Perhaps the most critical Coverage Tip duty an insured has is to advise the insurer of any Keeping the insurer informed may also help settlement negotiations at during settlement negotiations. Informed the time that they occur. insurers tend to buy in to the defense strategy Failure to keep the insurer and are able to get authority to approve a advised of settlement talks settlement proposal faster. will likely result in the insurer denying coverage even if the claim would have otherwise been covered. This is precisely what happened in Vigilant Ins. Co. v. Bear Stearns Cos., Inc., 10 N.Y.3d 170 (2008). In this case, Bear Stearns failed to obtain its insurers’ consent prior to settling a case. The insurers denied coverage citing the consent provision in the policy that stated that “[t]he Insured agrees not to settle any Claim, incur any Defense Costs or otherwise assume any contractual obligation or admit any liability with respect to any Claim . . . without the insurer’s consent . . . .” The New York Court of Appeals held that the denial of coverage was proper as Bear Stearns had clearly not obtained the consent of the cyber liability insurer prior to settlement. The result was a loss of $40 million of insurance coverage. Other duties of an insured include taking all reasonable steps to mitigate any damages.
4. Attorney-Client Privilege and Work Product Doctrine
There are several issues that a company and its directors and officers should be aware of regarding the attorney-client privilege and work product doctrine. First, not all communications between the insurer and the insured will be protected from discovery. In fact, the rules governing when a communication will be protected vary by jurisdiction; thus, an insured should always consult with legal counsel to determine the amount of protection afforded to a particular communication.
55
There may also be limits on the protection granted to communications between a director or officer and the company’s in-house or outside counsel. Again, the amount of protection varies by jurisdiction but communications between a director or officer and the corporate attorney may not be protected. This is of particular concern in cyber claims as information provided to a non-law firm service provider may not qualify as privileged, may be discoverable, and may result in additional or more serious claims against the company. Finally, issues concerning the attorney-client privilege and work product doctrine sometimes arise when there are joint defense agreements. Since lawsuits often name multiple officers and Coverage Tip directors and possibly other parties who are represented by more than one attorney, it Using a law firm to is sometimes necessary to implement joint- coordinate the response defense agreements so that the parties may to a data breach may help present a united and cohesive front. Some protect the attorney-client jurisdictions recognize that communications between parties with a common legal provide. purpose are protected. However, when the interests of the parties do not align legally, the protection may falter. Again, insureds should consult legal counsel on all matters pertaining to the attorney-client privilege and work product doctrine.
D. Common Mistakes
1. Late Notice
Late notice is one of the easiest ways to deny coverage for a claim on a claims made policy. Insureds should investigate each year before the renewal of the policy to determine if anyone knows of any claims or potential claims that may need to be reported to the insurers.
2. Failure to Notice All Layers and All Policies
Insureds must notify any claims or circumstances to all layers of the insurance program. Failure to notify any excess insurer may jeopardize the coverage for the entire tower above the missed insurer. Insureds should also confirm receipt of the notice by the insurers for the same reasons.
56
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
3. Failure to Communicate
Although a claim may put an insured at odds with an insurer, many insureds may benefit from working with an insurer as a business partner. Insurers may be a valuable source of knowledge and experience regarding a claim. For example, during the height of the stock option backdating claims, some insurers were sharing their experience about settlement ranges and terms with their insureds. This sharing of information allowed many insureds to resolve their claims more quickly and less expensively than they might have otherwise done.
E. Insurance Checklist for Defending Cyber Liability Claims
• Promptly notice all claims to all insurers on your cyber liability program. • Determine whether any other insurance policies might respond to the claim, and if so, notify those insurers as well. •
Once a claim is made, check to see if you are required to select from a list of pre-selected consultants or law firms (panel counsel) to defend the claim. Failure to use a panel counsel firm when required could result in a loss of coverage.
• Make sure all incurred costs are “reasonable and necessary to the defense of the claim.” Insureds should take an active role in managing response and defense costs. As soon as possible, you should inform all insurers of the name of all consultants and law firms selected as well as the hourly billing rates of the consultants and attorneys who will be responding to the claim. • Insurers must approve the use of multiple firms to defend a claim. Absent a conflict, all insureds should use the same legal counsel. • Determine whether any litigation management guidelines will apply. If so, share these with defense counsel promptly.
57
• Provide all bills to the insurers on a monthly basis and push for prompt audits of such bills – even before the retention is exhausted. • Know that defense costs typically erode your limit, which means every dollar spent defending a claim reduces the amount available to pay a settlement or judgment. • Use your insurers’ experience on coverage matters to your advantage. • Know that you need to obtain consent before settling or offering to settle claims.
58
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
VIII. SUPPLEMENTING INSURANCE COVERAGE WITH BREACH PREPAREDNESS by Kaylee A. Cox
Securing a robust cyber insurance policy is critical to mitigating risk to your organization. However, a big part of making sure that your insurance will respond appropriately, is understanding what cyber risks are most relevant to your organization and matching those risks to your coverage. Negotiating insurance provisions will prove most effective if insureds are educated about their organization’s security controls and procedures and how they relate to the elements of the policy. There are three key steps that every organization should take to supplement their cyber insurance coverage: (1) conduct comprehensive risk assessments; (2) establish a written incident response plan; and (3) test your response readiness through cyber-attack simulations. Comprehensive Risk Assessments Comprehensive risk assessments are a fundamental component of any organization’s cybersecurity program, and it is important to take an enterprise-wide approach in conducting the assessment process rather than narrowly looking at only technical controls. Gaps pertaining to corporate governance, physical and operational controls, policies and procedures, training, and reporting structure are of equal significance in determining your entity’s risk landscape. Key stakeholders throughout the organization should participate in the assessment to ensure that you are capturing a complete view of the company’s security posture. This process will help inform decisions regarding insurance coverage and ensure that the scope of the policy is appropriately tailored to the risks facing the organization. Additionally, because the cyber threat landscape is constantly and rapidly evolving, assessments should be conducted at least annually, ideally in advance of the policy renewal period. Written Incident Response Plan Establishing an actionable, written plan will help organize and streamline the incident response process, which in turn serves to mitigate the risk of steep response-related costs and, ultimately, exceeding coverage limits.
59
The incident response players must have clarity on roles, responsibilities, and authority during an incident. Without clear instructions and authorizations in place, personnel will respond inconsistently, which can be especially damaging to an organization’s brand and can also create legal risks and increase liabilities and costs. Similarly, without clearly identified procedures, organizations run the risk of departments duplicating efforts, wasting both valuable time and resources. A written plan will help to provide structure, clarity, and organization around the incident response process. Central elements of a strong incident response policy include consistently defined terms, conspicuous designation of duties, and clear communication protocols. It is imperative that key terms (e.g., “Event,” “Incident,” “Breach”) are consistently and clearly defined. To the extent there are multiple policies at issue, terms must have the same meaning across the plans and departments to ensure a uniform response. Variances in definitions can result in confusion among incident response players, and poorly defined terms can create ambiguity as to when certain processes are triggered. Importantly, certain terms (like “Breach”) have legal implications, and referring to an incident as a “breach” before a proper determination is made as to whether a breach (as defined under law or written policy) has occurred is a common mistake and typically results in increased costs and liabilities. The plan should furthermore conspicuously identify roles and responsibilities during the incident response process, including the designation of an Incident Commander, who is responsible for leading response efforts and who has real-time decision-making authority. The plan should also be clear about the parameters of such authority. Perhaps one of the most important aspects of the incident response process—and one which frequently results in increased brand impact and liability exposure—is the communications process. It is, therefore, critical that the incident response plan establish clear communications protocols, including triggers for cross-functional coordination and escalation. A
60
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
common misstep in the response process is neglecting to engage the appropriate parties early enough in the process, so clearly-defined triggers for when certain departments and players need to be informed of and engaged in the response process, and when issues should be escalated to senior personnel, help to mitigate this risk. The plan should also include clear procedures for external communications to ensure the organization does not increase potential liability through inconsistent or ineffective messaging surrounding an incident. These protocols are particularly important with respect to communications with law enforcement, regulators, insurance carriers, third-party vendors, the press, and affected individuals. Cyber-attack Simulations While maintaining a written response plan is necessary, it is not enough. A policy may appear perfect on paper, but it can be rendered meaningless if the procedures are not internalized by key players. Moreover, certain gaps or challenges may arise when the policy is actually put into practice. Companies that pressure test their incident response policies and procedures for the first time in a controlled environment have a distinct and powerful advantage over the unprepared when the time comes for a real response. Simulated cyber exercises have proven to be one of the best ways to test a company’s incident response plan and are a valuable extension of the risk assessment process. There are various types of exercises that can be implemented, depending on the level of maturity of the entity’s cybersecurity program, including tabletop and operational exercises. Cyber-attack simulations allow organizations to identify gaps, rectify issues, and improve processes before an actual incident occurs and, ideally, help the entity avoid repeating past mistakes. A Note on the Attorney-Client Privilege The legal department is generally not “top of mind” in the cyber risk management process, but attorneys play a vital role in helping to minimize potential costs and liabilities associated with cyber risks. It is often advantageous to have legal counsel oversee, and at times direct, the risk assessment process, including cyber exercises. Attorneys are well
61
positioned to help ensure that the assessment does not itself create risk, that any assessment is focused on compliance with applicable regulations, and that the necessary constituents are involved. In particular, the attorney-client privilege is one of the most important benefits for leveraging outside counsel. Doing so helps provide the organization a mechanism to identify and remediate gaps or deficiencies in a privileged environment. When companies conduct risk assessments or cyber exercises without the presence of counsel, identified shortcomings, mistakes, and vulnerabilities may be available to regulators and could be used against the company in future litigation or enforcement actions. Engaging outside counsel to oversee the process helps protect the company from these unwanted exposures and liabilities. Further, the cloak of privilege often fosters a more open and transparent analysis of the organization’s risk rating, which allows the company to better improve its cyber program and could result in an organization being viewed much more positively during regulatory examinations, audits, or even future litigation.
62
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
IX. CONCLUSION Cyber insurance is still evolving. Insureds must take the time to learn what coverage they need and what coverage they have to ensure they are adequately protected. In addition, insureds should have a plan in place to deal with the complexity of having multiple lines of coverage that may apply to a single cyber event. A little preparation can avoid significant problems with coverage in the event of a claim. Cyber liability insurance is an important coverage for nearly all companies today. Directors and officers cannot leave to chance whether this multi-million dollar asset will protect their company in the event of a cyberattack. Directors and officers who assume that they are fully protected just because their company has cyber liability insurance may find out the hard way that their protection is inadequate. Fortunately, there are a number of cyber liability insurance policies available and cyber liability insurance policies are highly negotiable. By taking the time to negotiate improvements to the cyber liability policies and ensuring that the coverage is appropriate for the insured’s risk profile, companies can greatly improve the chances that their cyber liability policy will protect them when they need it most.
63
All Risk
GLOSSARY OF COMMON CYBER LIABILITY INSURANCE TERMS
An all risk policy provides protection against any claim that is not specifically excluded by the policy. The opposite type of coverage is a “named peril” policy – such a policy only covers those types of claims that are specifically listed in the policy. Allocation Allocation refers to the split between covered and uncovered loss. Allocation usually occurs when there are covered and uncovered allegations in a claim or when there are allegations against covered and uncovered persons or entities. Attachment / Exhaustion The attachment/exhaustion provision sets forth when an excess policy will provide coverage. Generally, this provision provides that the excess policy will only attach once the underlying policy limit is exhausted. Bodily Injury Bodily injury means a physical injury, sickness, disease or death. Some policies will also include mental anguish or injury and other types of emotional distress including mental injury, mental anguish, mental tension, emotional distress, pain and suffering, or shock, whether or not resulting from injury to the body, sickness, disease or death of any person. Captive A captive is an insurance company that is owned by a parent company and used to insure the parent’s own risks.
64
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Change of Control Provision The change of control provision generally details how certain events/ transactions will impact the insurance coverage. For example, the change of control provision might state that if the parent company is sold, the insurance will cease to provide going forward insurance coverage. Claim The term claim generally defines what events will trigger coverage under the cyber liability insurance policy. Most cyber liability insurance policies will define a claim broadly to include litigation, arbitration/mediation and certain regulatory matters. Claims Made A claims made policy requires that a claim be made and reported during the policy period to be covered by the policy. Communication Communication is defined as an electronic record or message created, generated, sent, communicated, received or stored by electronic means that is capable of retention by the recipient at the time of receipt, including a telefacsimile transmission or e-mail, and that was transmitted or purported to have been transmitted through a network. Computer Computer means a device or group of devices that by manipulation of electronic, magnetic, optical or electromechanical impulses pursuant to a computer program can perform operations on data. Computer System A computer system is often defined as computer hardware, software or components that are linked together through a network of two or more devices accessible through the internet, internal network, or connected with data storage or other peripheral devices and are under ownership, operation or control of, or leased by an insured company.
65
Some definitions will also include associated input and output devices, data storage devices, networking equipment and storage area network or other electronic data backup facilities. Some definitions restrict their definition of computer system to devices that are linked together through a network of two or more devices accessible through the internet, internal network or connected with data storage or other peripheral devices (including wireless and mobile devices), and provided that such hardware, software, components, devices and internal networks are under ownership, operation or control of, or are leased by, an insured. Conduct Exclusions In the cyber liability insurance context, the conduct exclusions remove coverage for certain wrongful acts committed by the insureds (e.g., where the insured gains illegal profits or commits intentional misconduct or fraud). Conduit Injury Conduit Injury means injury sustained or allegedly sustained by a person because a system cannot be used, or is impaired, resulting directly from: 1. a cyberattack into an insured’s system, provided such cyberattack was then received into a third-party’s system; or 2. a natural person who has accessed a system without authorization, through an insured’s system. Confidential Information Confidential information means any of the following in a company’s or information holder’s care, custody or control or for which a company or information holder is legally responsible:
66
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
1.
information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, social security number, account relationships, account numbers, account balances, account histories and passwords;
2.
information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106102, 113 Stat. 1338) (as amended) and its implementing regulations, or protected personal information under any similar federal, state, local or foreign law;
3. information concerning an individual that would be considered “protected health information” or “electronic protected health information” within the Health Insurance Portability and Accountability Act of 1996 (as amended) (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and their implementing regulations, or protected health-related information under any similar federal, state, local or foreign law; 4. information used for authenticating customers for normal business transactions; or 5.
any third-party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public.
Coinsurance Coinsurance requires the insureds to retain some percentage of the risk of loss. For example, the cyber liability policy may provide that the insurer will pay 90% of a loss and that the insured shall pay the remaining 10 percent.
67
Consumer Redress Fund Consumer redress fund means a sum of money that the insured is legally obligated to deposit in a fund as equitable relief for the payment of consumer claims due to an adverse judgment or settlement of a regulatory proceeding. Consumer redress fund typically does not include any sums paid which constitute taxes, fines, penalties, injunctions or sanctions. Content Injury Content injury means injury sustained or allegedly sustained by a person because of the actual or alleged infringement of: 1. a collective mark, service mark, or other trademarked name, slogan, symbol or title;
2. a copyright;
3. the name of a product, service, or organization; or
4. the title of an artistic or literary work, resulting directly from cyber activities of an insured. Continuity of Coverage Continuity of coverage refers to a continuation of the representations and warranties given by the insureds in the insurance application. Continuity of coverage is very important to insureds as it allows them to avoid making new representations and warranties at the renewal or when the insured changes insurers. This is a particularly important issue in a claims made policy. Continuity Date Cyber liability policies typically exclude coverage for any claims or circumstances that could give rise to claims that were known to the insureds as of the continuity date. The continuity date is generally the date on which the insureds first purchased cyber liability insurance from the insurer.
68
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Crisis Management Expenses Crisis management expenses are typically defined as the “reasonable and necessary” costs to retain: an independent attorney; an information security forensic investigator; and a public relations consultant. Some policies may also include limited advertising and public relations media and activities as well. Cyberattack The term cyberattack is generally defined as the transmission of fraudulent or unauthorized data that is designed to modify, alter, damage, destroy, delete, record or transmit information within a system without authorization, including data that is self-replicating or self-propagating and is designed to contaminate other computer programs or legitimate computer data, consume computer resources or in some fashion usurp the normal operation of a system. Data Breach Expenses Data breach expenses include reasonable and necessary expenses incurred by the insured or for which the insured becomes legally obligated to pay: 1. to retain third-party computer forensics services to determine the scope of a failure of network security; 2.
to comply with privacy regulations, including but not limited to the consumer notification provisions of privacy regulations of the applicable jurisdiction that most favors coverage for such expenses;
3. with the insurer’s prior written consent, to voluntarily notify individuals whose personal information has been wrongfully disclosed; 4.
in retaining the services of a public relations firm, crisis management firm or law firm for advertising or related communications solely for the purpose of protecting or restoring the insured’s reputation as a result of a wrongful act;
69
5.
to retain the services of a law firm solely to determine the insured’s indemnification rights under a written agreement with an independent contractor with respect to a wrongful act expressly covered under an insuring agreement and actually or allegedly committed by such contractor; and
6. for credit monitoring services, but only if such disclosure of personal information could result in the opening of an unauthorized line of credit or other financial account. Debtor-in-Possession A debtor-in-possession is a company that operates while under Chapter 11 bankruptcy protections. Derivative Suit A derivative suit is an action brought on behalf of the corporation by its shareholders against the corporation’s directors and officers. Diminishing Limits A diminishing limits policy is one where defense costs incurred by the insureds reduce the limit of liability available to pay loss. Disgorgement Disgorgement is a repayment of ill-gotten gains – money to which the insured did not have a right to in the first place. In the cyber liability insurance context, disgorgement most often arises in the context of the definition of loss. Most cyber liability policies do not consider disgorgement to be a loss and, therefore, do not cover any disgorgement. Discovery Period or Extended Reporting Period (ERP) The ERP is an optional extension of coverage that allows insureds to report claims made during the ERP provided that the wrongful act occurred prior to the expiration of the original policy period.
70
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Duty to Defend A duty to defend policy requires the insurer to defend any covered lawsuit or claim brought against an insured. Employee Retirement Income Security Act of 1974 (ERISA) ERISA is the statutory scheme that regulates employee benefit plans. Final Adjudication Standard The final adjudication standard requires the insurer to cover allegations of fraud or illegal conduct against an insured unless, and until, there is a final, unappealable adjudication that determines that the insured committed the fraud or other illegal conduct alleged. Final Determination Standard The final determination standard requires the insurer to cover allegations of fraud or illegal conduct against an insured unless, and until, there is a final determination by a court or other alternative dispute resolution proceeding that the insured committed the fraud or other illegal conduct alleged. The major difference between the final determination standard and the final adjudication standard is that with the final determination standard, the insurer would not be required to fund any appeals after a determination by a trial court that the insured committed the fraud or other illegal conduct. First-Party Claim A first-party claim is one that is made by an insured for an insured’s own losses. Fraudulent Access or Transmission Fraudulent access or transmission means that a person has:
1. fraudulently accessed an insured’s system without authorization;
71
2. exceeded authorized access; or
3. launched a cyberattack into an insured’s system.
Hammer or Forced Settlement Clause A hammer or forced settlement clause provides that if the insurer agrees to fund a settlement within the policy limit but the insured rejects the settlement, the insurer’s liability is capped at the amount of the rejected settlement plus any defense costs incurred up to that date. Insurers include this provision in their cyber liability policies to prevent insureds from fighting on principle with the insurers’ money. By forcing a settlement, the insurer is essentially saying that if the insured wants to continue to fight, it should bear the risk of a potentially less favorable resolution to the case. Informant Informant means any natural person providing information solely in return for monetary payment paid or promised by an nsured. Insured’s Computer System Insured’s computer system means a computer system:
1. leased, owned, or operated by the insured; or
2. operated for the benefit of the insured by a third-party service provider under written contract with the insured. Intellectual Property Law or Right Intellectual property law or right means any: 1. certification mark, collective mark, copyright, patent, service mark, or trademark; 2. right to, or judicial or statutory law recognizing an interest in, any trade secret or confidential or proprietary information;
72
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
3.
other right to, or judicial or statutory law recognizing an interest in, any expression, idea, likeness, name, slogan, style of doing business, symbol, title, trade dress or other intellectual property; or
4. other judicial or statutory law concerning piracy, unfair competition or other similar practices. Internet Internet means a group of connected networks that allow access to an insured’s system through service providers using telephone service, digital subscriber lines, integrated service digital network lines, cable modem access or similar transfer mediums. Media Media means objects on which data may be stored so that it may be read, retrieved or processed by a computer. Media often does not include paper. Network Network means any and all services provided by or through the facilities of any electronic or computer communication system, including Fedwire, Clearing House Interbank Payment System (CHIPS), Society for Worldwide Interbank Financial Telecommunication (SWIFT) and similar automated interbank communication systems, automated teller machines, point of sale terminals, and other similar operating systems and includes any shared networks, internet access facilities, or other similar facilities for such systems, in which an insured participates, allowing the input, output, examination, or transfer of data or programs from one computer to an insured’s computer. Most Favorable Venue In the cyber liability context, the most favorable venue clause generally states that the parties should use the law of the venue most favorable to finding coverage to determine the insurability of punitive damages.
73
Named Peril A named peril policy only covers the hazards specifically named in the policy. Named peril policies tend to be less expensive than all risk policies that cover all hazards unless the hazard is specifically excluded from coverage. Network Security Network security means those activities performed by the insured, or by others on behalf of the insured, to protect against unauthorized access to, unauthorized use of, a denial of service attack by a third-party directed against, or transmission of unauthorized, corrupting or harmful software code to, the insured’s computer system. Occurrence Coverage An occurrence policy covers losses that were incurred during the effective dates of the policy regardless of when the claim for such losses is actually made. Outsource Provider Outsource provider means an entity not owned, operated or controlled by an insured that such insured depends on to conduct its business. Panel Counsel Some cyber liability policies require the use of a pre-approved consultant, public relations firm or law firm. The list of pre-approved firms is generally referred to as a panel counsel firm. PCI Data Security Standards PCI data security standards means generally accepted and published Payment Card Industry standards for data security (commonly referred to as “PCI-DSS�).
74
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
PCI-DSS Assessment PCI-DSS assessment means any written demand received by an insured from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions for a monetary assessment (including a contractual fine or penalty) in connection with an insured’s non-compliance with PCI data security standards which resulted in a security failure or privacy event. Pending and Prior Litigation Exclusion The pending and prior litigation exclusion eliminates coverage for any litigation or proceeding that relates to any litigation or proceeding pending on or prior to the inception of the policy (or some other designated date). Personal Information The definition of personal information varies significantly. Some insurers define it as specific information such as an individual’s name, social security number, medical or healthcare data, other protected health information, driver’s license number, state identification number, credit card number, debit card number, address, telephone number, account number, account histories, or passwords. Other insurers define it as any information: 1. from which an individual may be uniquely and reliably identified or contacted; 2. that would be considered nonpublic personal information, protected personal information, protected health information or electronic protected health information; or 3. used for authenticating individuals for normal business transactions. Most insurers exclude information that is lawfully made available to the general public for any reason, including but not limited to information from federal, state or local government records.
75
Policy Period The policy period is the period of time from the inception date of a policy until the expiration date of the policy or the cancellation of the policy, whichever comes first. Prior Acts Exclusion The prior acts exclusion excludes claims arising from wrongful acts occurring before the prior acts date. Prior acts exclusions are strongly disfavored in a claims made policy as they tend to significantly reduce the protection provided by the policy. Privacy Event Privacy event means any failure to protect confidential information (whether by “phishing,” other social engineering technique or otherwise), including, without limitation, that which could result in an identity theft or other wrongful emulation of the identity of an individual or corporation. Privacy Notification Expenses Privacy notification expenses are the reasonable and necessary cost of notifying persons who may be directly affected by the potential or actual unauthorized access of a record, and (1) changing such person’s account numbers, other identification numbers and security codes; and (2) providing such persons (for a set period of time) with credit monitoring or other similar services that may help protect them against the fraudulent use of the record. Privacy Regulations Privacy regulations include the following statutes and regulations associated with the care, custody, control or use of personally identifiable financial, medical or other sensitive information: 1. Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and Health Information Technology for Economic and Clinical Health Act;
76
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
2. Gramm-Leach-Bliley Act of 1999;
3. the California Security Breach Notification Act (CA SB 1386) and Massachusetts 201 CMR 17; 4. Identity theft red flags under the Fair and Accurate Credit Transactions Act of 2003; 5. Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), but solely for alleged violations of unfair or deceptive acts or practices in or affecting commerce; and 6.
other similar state, federal, and foreign identity theft and privacy protection legislation that requires commercial entities that collect personal information to post privacy policies, adopt specific privacy or security controls, or notify individuals in the event that personal information has potentially been compromised.
Quota Share A quota share program spreads loss among two or more insurers in pre-set percentages. Related Acts Related acts (sometimes referred to as “interrelated wrongful acts”) are acts that are logically or causally connected by some common nucleus of facts. Some policies may also define this term as a series of similar, related or continuous acts. Reputational Injury Reputational injury means injury sustained or allegedly sustained by a person because of an actual or alleged:
1. disparagement of such organization’s products or services;
2. libel or slander of such natural person; or
3. violation of such person’s rights of privacy or publicity,
resulting directly from cyber activities of an insured.
77
Rescission Rescission is the act of completely voiding an insurance policy so that it is as if the policy was never issued. Generally, the insurer will return any premium collected and the insured returns to the position it would have been in if the insurance contract had never been bound. Rescission typically occurs only if there is a material misrepresentation in the application for insurance. Reservation of Rights Letter A reservation of rights letter is a letter from the insurer to the insured that sets forth all of the potential reasons why coverage may not apply to a particular claim. Retention A retention is the amount of risk retained by the insured before the insurance policy will begin to provide coverage. A retention is similar to a deductible. Retroactive Date Claims arising out of wrongful acts committed prior to the retroactive date are not covered by the cyber liability policy. Reward Expenses Reward expenses means the reasonable amount paid by an insured to an informant for information not otherwise available which leads to the arrest and conviction of persons responsible for a cyberattack, fraudulent access or transmission, or a threat. Security Breach Notice Law Security breach notice law means any federal, state, local or foreign statute or regulation that requires an entity collecting or storing confidential information, or any entity that has provided confidential information to an information holder, to provide notice of any actual or potential
78
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
unauthorized access by others to such confidential information, including but not limited to, the statute known as California SB 1386 (§1798.82, et. seq. of the California Civil Code). Security Failure Security failure means a failure or violation of the security of a computer system that: (1) results in, facilitates or fails to mitigate any: (a) unauthorized access or use; (b) denial of service attack; or (c) receipt, transmission or behavior of a malicious code; or (2) results from the theft of a password or access code from an insured’s premises, the computer system, or an officer, director or employee of an insured by non-electronic means. Security Failure generally does not include any of the foregoing that results, directly or indirectly, from any: (1) natural or man-made earth movement, flood, earthquake, seaquake, shock, explosion, tremor, seismic event, lightning, fire, smoke, wind, water, landslide, submarine landslide, avalanche, subsidence, sinkhole collapse, mud flow, rock fall, volcanic activity, including eruption and lava flow, tidal wave, hail, or act of God; or (2) satellite or other infrastructure failure. Severability of the Application Generally, all statements in the application for insurance are attributed to all insureds protected by the insurance contract. The severability of the application provision limits this general rule so that the statements in the application are not imputed to all insureds but are instead deemed binding only on the particular person or persons who were responsible for making the statements. Severability of Exclusions A severability of exclusions provision provides that the wrongful acts of one insured shall not be imputed to any other insured to determine the applicability of a given exclusion.
79
Third-Party Claim A third-party claim is involves damage or harm to a third-party (a party other than the insured or the insurer). Website Website means the software, content and other materials accessible via the internet at a designated Uniform Resource Locator (URL) address.
The information contained herein is for general education and knowledge only. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different, and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult expert legal counsel.
80
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Cyber Liability Insurance • Holland & Knight’s Cyber Liability Insurance Team assists policyholders in evaluating, negotiating and enforcing their cyber liability insurance policies. • When a claim arises, our team works with clients to best position their claim for maximum insurance recovery. • We help ensure that each type of insurance policy is well-coordinated with the other types of insurance you plan to or have already purchased to help avoid gaps in coverage, eliminate duplicate coverage and potentially reduce your insurance costs. • Holland & Knight has been ranked as the number one law firm in the United States for director liability issues by Directors & Boards magazine for eight years in a row (2007-2014). Cyber liability insurance is a complicated and fast moving area of the law. This relatively new coverage is complicated and there are significant differences in the protection offered by various insurers. Holland & Knight has extensive experience with this line of coverage and can quickly and effectively advise on how to obtain the strongest protection available. Independent Insurance Advice The Holland & Knight Cyber Liability Insurance Team assists clients in evaluating, negotiating and enforcing their cyber liability insurance policies. Our clients range from Fortune 500 corporations to small, private and not-for-profit entities, as well as boards of directors seeking assistance with their insurance programs. We provide independent advice – meaning we have no financial stake in the amount of insurance you buy or in the insurers you select. Our only interest is in helping you obtain the broadest protection possible. Evaluating and Negotiating Effective Liability Coverage To ensure that you are adequately protected, we start by listening to your risk transfer needs. Once we learn what your concerns are, we analyze your policy to determine whether it adequately protects you. As part of this process, we employ our substantial claims experience to assess whether or not your policy will actually respond in the event of a claim.
81
In order to help you get the broadest possible coverage, we utilize our extensive library of policies, checklists and available endorsements to determine how your policy compares with what is available in the marketplace. Using this information and the experience gained from reviewing numerous policies each year, we suggest coverage enhancements and provide wording for requested endorsements. If you do not yet have cyber liability coverage, our team can assist you in doing a thorough evaluation of all the considerations relevant to your business or organization. Armed with the knowledge of what the marketplace will provide, we work with your insurance broker to negotiate selected coverage enhancements using our precedent files, which show how an insurer has responded to similar requests in the past. Obtaining significant policy enhancements for our clients is our highest priority. Maximizing Your Potential Insurance Recovery The true test of an insurance program is how it responds to a claim. The Holland & Knight Cyber Liability Insurance Team uses its experience and established professional relationships in the market to best position your claim with the goal of securing the maximum potential insurance recovery. Our team regularly counsels clients on issues such as coordination of coverage, the applicability of exclusions, and how to respond to reservation of rights and coverage denial letters. We also regularly work with breach coaches and other data security professionals in order to maximize insurance recoveries. Understanding Risk Management as a Whole In addition to making sure each insurance policy provides strong protections, Holland & Knight can also review corporate bylaws, indemnification agreements and other corporate documents to make certain these documents all work together effectively with your insurance policies. Avoiding Gaps in Coverage We also help ensure that each type of insurance policy is well-coordinated with the other types of insurance you plan to purchase or that you have already purchased. This is critically important as it can help avoid gaps in coverage. It can also help eliminate duplicate coverage and potentially reduce your insurance costs. Most importantly, it will give you a more
82
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
complete understanding of how various types of policies work together – or do not work together – to cover your risks. This is now a particularly relevant issue for data privacy and security risks which tend to fall in a gap between several different types of insurance policies. Experienced in Providing Proactive Data Breach Measures Holland & Knight’s Cybersecurity and Privacy Team assists companies of all sizes in a broad range of industries with taking a proactive, comprehensive approach to risk management. The team counsels clients on the appropriate data breach response as well as all other areas related to what to do when a data breach occurs from a standpoint of company reputation to how to respond to and defend actions against state attorneys general, the FTC and other regulatory bodies, and defend companies against privacy-related class actions. Our Data Privacy Testing Lab identifies privacy and security issues by using advanced technology along with legal counsel to help protect your company. Industry Recognition for Holland & Knight’s Directors & Officers and Management Liability Insurance Team Consistently Ranked as One of the Nation’s Top Law Firms for Director Liability Issues Directors & Boards magazine ranked Holland & Knight as one of the top law firms in the United States for dealing with directory liability issues in 2014. This is the eighth consecutive year Directors & Boards magazine has recognized Holland & Knight as a top law firm in this area (2007-2014). In addition, Directors & Boards magazine ranked Holland & Knight among the top five law firms for general corporate governance issues and board-level merger and acquisition issues in 2013. Recognized as 2012 Insurance Firm of the Year Holland & Knight was recognized as the nation’s 2012 Insurance Law Firm of the Year by Lawyer Monthly’s Legal Awards, a research-based awards program conducted in association with The Economist magazine. The firm was honored for its achievement in engaging and responding to the demands of a new post-recession business environment.
83
Leading Lawyers on Your Side Members of our team have been selected for inclusion in leading industry publications, including Chambers USA for Insurance and Best Lawyers in America for Insurance Law. Our Insurance practice also received a national first-tier ranking in the 2018 U.S. News - Best Lawyers® “Best Law Firms” guide, as well as metropolitan first-tier rankings in the Fort Lauderdale and Jacksonville markets.
84
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Meet The Team THOMAS H. BENTZ JR. Partner | Washington, D.C. +1 202.828.1879 | thomas.bentz@hklaw.com Thomas H. Bentz Jr. practices insurance law with a focus on D&O, cyber and other management liability insurance policies. Mr. Bentz leads Holland & Knight’s D&O and Management Liability Insurance Team which provides insight and guidance on ways to improve policy language and helps insureds maximize their possible insurance recovery. THOMAS F. “TOM” MORANTE Partner | Fort Lauderdale +1 954.468.7862 | tom.morante@hklaw.com Tom Morante is an attorney in Holland & Knight’s Fort Lauderdale office who helps financial services companies navigate an increasingly complex global regulatory environment. He cochairs the firm’s Insurance Industry Team, representing insurers, reinsurers, captives, insurance wholesalers, insurance agents/brokers, funds and fund managers, and alternative capital providers. For more than 25 years, clients have relied on Mr. Morante’s experience in handling U.S. and foreign insurance matters with respect to life and annuities, health, title, property and casualty, extended warranty, environmental, cyber risk, directors and officers (D&O), political risk and trade credit insurance.
85
CHRISTOPHER G. CWALINA Partner | Washington, D.C. +1 202.469.5230 | chris.cwalina@hklaw.com Christopher G. Cwalina is a partner in Holland & Knight’s Washington, D.C., office and co-chair of the Cybersecurity and Privacy Team. He concentrates his national practice primarily on privacy and data security compliance; litigation; defending companies in investigations initiated by state attorneys general, the FTC and other government agencies; responding to security breach incidents; establishing international compliance frameworks for companies; and developing and writing company policies and procedures. Mr. Cwalina has managed some of the largest data breaches in the country. He regularly serves as a “breach coach” – leading companies from a variety of industries through crisis management and the intricacies of managing the competing interests of affected customers, consumers, regulators, Congress, consumer groups, media, law enforcement, payment processors and other third parties involved when large breaches occur. SCOTT T. LASHWAY Partner | Boston +1 617.305.2119 | scott.lashway@hklaw.com Scott T. Lashway is a litigation attorney in Holland & Knight’s Boston office and a member of the firm’s Litigation and Dispute Resolution practice. He is called upon by clients for representation and counseling on complex disputes, internal investigations and government enforcement matters, as well as to advise on critical legal and compliance risks. Mr. Lashway has significant experience representing clients in matters involving cybersecurity, data privacy and management, and allegations of misappropriation of intellectual property, trade secrets and proprietary business information. He represents clients in an array of industries, including financial institutions, insurance companies, technology companies and life science companies, as well as their individual officers, directors and employees.
86
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
IEUAN G. MAHONY Partner | Boston +1 617.573.5835 | ieuan.mahony@hklaw.com Ieuan G. Mahony is a partner in Holland & Knight’s Boston office. He concentrates his practice in intellectual property (IP) licensing and development, data privacy and security, and information technology (IT). Mr. Mahony combines his transactional and compliance work with dispute resolution and litigation matters. His substantial background in transactional and litigation practice areas helps clients receive high-quality advice in the dynamics of reaching an agreement as well as the realities of combating an adversary. Mr. Mahony is a member of the firm’s three partner Information Technology Governance Committee. STEVEN B. ROOSA Partner | New York +1 212.513.3544 | steven.roosa@hklaw.com Steven B. Roosa is a partner in Holland & Knight’s New York office. He is also a fellow emeritus at the Center for Information Technology Policy (CITP) at Princeton University. His practice focuses on advising companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Representative issues include: mobile app privacy compliance; leveraging anonymity solutions to help clients safely unlock the value of large data sets; Internet tracking; web security; geo-fencing; data breach and incident response; Children’s Online Privacy Protection Act (COPPA); Computer Fraud and Abuse Act (CFAA); FTC compliance; privacy considerations of modified network protocols; California best practices for websites and mobile apps; compliance with wiretap statutes and the Electronic Communications Privacy Act (ECPA); public-key infrastructure (PKI); certification authority matters pertaining to online trust; and web-based reputation and defamation issues.
87
SHANNON HARTSFIELD SALIMONE Partner | Tallahassee | +1 850.425.5624 Orlando | +1 407.244.1113 shannon.salimone@hklaw.com Shannon Hartsfield Salimone is a health lawyer whose practice focuses on corporate compliance, particularly in the regulatory and data privacy areas. She is Board Certified in Health Law by the Florida Bar Board of Legal Specialization and Education. She advises clients on state and federal matters, including healthcare compliance, internal investigations, HIPAA and data privacy, cyber liability and reducing risk, consumer protection relating to privacy, long-term care, fraud and abuse, licensure, EMTALA, meaningful use of electronic medical records and prescription drug distribution. Ms. Salimone’s clients include health plans and insurers, medical technology companies, assisted living facilities, continuing care retirement communities, nursing homes, hospitals and large clinics, pharmaceutical manufacturers and distributors, pharmacies, tissue banks, medical and benefit management companies, religious institutions and data analytics companies, among others. Ms. Salimone is a past Chair of the ABA Health Law Section’s eHealth, Privacy & Security Interest Group. NORMA M. KRAYEM Sr Policy Advisor | Washington, D.C. +1 202.469.5195 | norma.krayem@hklaw.com Norma Krayem is a senior policy advisor in Holland & Knight’s Washington, D.C., office and co-chair of the firm’s Cybersecurity and Privacy Team, as well as a member of the Public Policy & Regulation Group. Ms. Krayem provides strategic advice on key issues in a range of areas, including homeland security, transportation, defense, international trade and environmental, as well as appropriations issues for all aspects of critical infrastructure. She also focuses on the impacts of cyber and privacy issues on the banking and financial services, energy, communications, health, transportation and other critical sectors. Ms. Krayem has more than 20 years of experience addressing major issues within the national policy-making arena and has worked both in and with state, local and federal governments, as well as Fortune 500 clients to develop strategies designed to build and maintain a competitive edge.
88
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
KAYLEE A. COX Associate | Washington, D.C. +1 202.469.5185 | kaylee.cox@hklaw.com Kaylee A. Cox is an associate in Holland & Knight’s Washington, D.C., office and a member of the firm’s Cybersecurity and Privacy Team. Ms. Cox focuses her practice on information privacy and data security compliance, regulatory investigations, security breach incident response, breach preparation and cybersecurity risk management, and development of corporate privacy and security policies and procedures. She advises companies on information privacy and cybersecurity regulatory issues and legislative affairs as well as compliance with state, federal and international privacy laws, regulations and directives.
89
Recent Insurance Publications From Holland & Knight Is Your Cyber Liability Insurance Any Good? A Guide for Banks to Evaluate Their Cyber Liability Insurance Coverage, North Carolina Banking Institute Journal, February 17, 2017 Tips for Strong Cyber Liability Insurance, The Review of Securities & Commodities Regulation, September 21, 2016 The Ins and Outs of Cyber Liability Insurance, National Defense Magazine, April 2016 Cyber Insurance and Social Engineering Fraud, Why Voluntary Transfers May Not Be Covered By Your Insurance Policies, Cyberspace Lawyer, February 2016 How Insurance Mergers Could Affect Your Business, Law360, January 25, 2016 How Will the Consolidation of Insurance Markets Affect You?, Holland & Knight Alert, January 14, 2016 How Can That Not Be Covered? I Have Cyber Insurance! Holland & Knight Alert, January 8, 2016 DOJ Targets Executives and Individuals in Corporate Investigations, Holland & Knight Alert, September 22, 2015 Corporate Compliance Answer Book, Directors and Officers Liability Insurance and Cyber Liability Insurance Chapters, Practising Law Institute, 2016 Edition Views on Corporate Cybersecurity Insurance Options, Privacy Law Watch, August 13, 2015 A Buyer’s Guide to Cyber Liability Insurance Coverage, 2015
90
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Negotiating Key Cyber Exclusions, Insurance Day, July 8, 2015 Excess D&O Insurance Coverage – An Important But Often Neglected Part of Your D&O Insurance Program, Financier Worldwide Magazine, April 2015 Protecting Against Cyber Risk - A Primer on Cyber Insurance, Cyberspace Lawyer, March 2015 Insurance Agency Risk Management - E&O Exposures by Line of Business D&O Chapter, Agents of America, 2014 Edition, Series 3 A Buyer’s Guide to Obtaining Comprehensive D&O Insurance Coverage, 2nd Edition, June 2014
91
About Holland & Knight LLP Holland & Knight is a global law firm with more than 1,250 lawyers and other professionals in 27 offices throughout the world. Our lawyers provide representation in litigation, business, real estate and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location. Anchorage | Atlanta | Austin | Bogotá | Boston | Charlotte Chicago | Dallas | Denver | Fort Lauderdale | Houston Jacksonville | Lakeland | London | Los Angeles | Mexico City Miami | New York | Orlando | Portland | San Francisco Stamford | Tallahassee | Tampa | Tysons | Washington, D.C. West Palm Beach
Significant Firm Recognitions Over 325 lawyers representing more than 80 different practice areas were named Best Lawyers in America in the 2018 guide. Additionally, 23 Holland & Knight attorneys were named “Lawyer of the Year” in their respective areas (August 2017). More than 145 Holland & Knight attorneys were named in the Chambers USA – America’s Leading Lawyers for Business 2017 guide (May 2017). Holland & Knight is one of the top 40 firms recommended for more than 6 years in a row by corporate counsel in BTI Consulting Group’s Annual Survey and is also named to the 2017 BTI Client Service A-Team (December 2016). Holland & Knight received national first-tier rankings in the 2017 U.S. News - Best Lawyers “Best Law Firms” guide in 36 practice areas, in addition to 164 metropolitan first-tier rankings (November 2016).
92
A Buyer’s Guide to Cyber Liability Insurance Coverage - 2nd Edition
Significant Insurance Team Recognitions Members of our D&O and Cyber Liability Insurance Team have been recognized among the top legal professionals in the country. The following are a few of their most recent awards: • Worldwide Financial Advisor Awards, a magazine that publishes on legal advisory and consulting firms all over the world, named Holland & Knight as Superior Lawyers 2016 in the category of Insurance & Reinsurance Law Firm of the Year – USA. • Corporate LiveWire, an insight into the corporate world, named Holland & Knight the Global Awards 2016 winner for best in D&O Liability Insurance. • Corp America, a magazine that covers the U.S. business market, named Holland & Knight as Best for Insurance Law – Washington D.C. Metropolitan Area as part of its 2016 Legal Elite Awards. • Acquisition International, a magazine and website that covers the global corporate landscape, named Holland & Knight as the Best Insurance Law Firm – USA as part of its 2016 Legal Awards. • Advisen, a leading firm that provides intelligence and analysis on risk management and the insurance industry, named Holland & Knight as the Best Counsel of the Year – Policyholder Counsel as part of its 2015 Executive Risk Awards.
93
About the Author
Thomas H. Bentz Jr. Partner Holland & Knight LLP 800 17th Street, N.W. Washington D.C. 20006 t: 202.828.1879 e: thomas.bentz@hklaw.com
Thomas H. Bentz Jr. practices insurance law with a focus on Cyber liability, Directors & Officers (D&O) liability and other management liability insurance policies. Mr. Bentz leads Holland & Knight’s D&O and Management Liability Insurance Team, which provides insight and guidance on ways to improve policy language and helps insureds maximize their possible insurance recovery.
Using an extensive library of insurance forms and endorsements, along with the experience of reviewing numerous insurance policies each year, Mr. Bentz analyzes policy forms and works with brokers to negotiate improvements to policy wordings. He also provides policy comparisons and coverage summaries for management and boards of directors. In the event of a claim, Mr. Bentz offers policyholders strategic and technical advice on coverage matters such as notice, “duty to defend,” retention of defense counsel, rescission and severability. Mr. Bentz also advises clients on policy interpretation and how to respond to reservation of rights and denial letters from insurers. Mr. Bentz also provides advice on risk mitigation and management, coordination of coverage (including cyber insurance) and crisis management. He has extensive experience with insurance issues related to mergers and acquisitions, and other high risk transactions including extended reporting periods (or “tail” coverage), reps and warranties insurance, and indemnification agreements. He also assists clients with their bylaw indemnification provisions. Prior to joining Holland & Knight, Mr. Bentz worked for Marsh USA Inc., the world’s largest insurance brokerage firm. As a claims advocate, Mr. Bentz recovered tens of millions of dollars for his clients. He also received several client service awards for his efforts in assisting clients in coverage disputes with their insurers. Mr. Bentz regularly publishes articles on Cyber and D&O insurance and is a frequent commentator on insurance issues.
Significant Insurance Recognitions Members of our team have been selected for inclusion in leading industry publications, including Chambers USA and Best Lawyers in America. THOMAS H. BENTZ JR. • Global Awards – Excellence in Insurance Law Services, Corporate LiveWire, 2017 • Insurance and Reinsurance Lawyer of the Year, ACQ5 Law Awards, 2017 • Cyber Insurance Lawyer of the Year, LawyerIssue, 2017 • Insurance Lawyer of the Year – USA, Finance Monthly Global Awards, 2017 • Attorney of the Year, Corp America, 2017 • Advisen Executive Risk Awards Best Counsel of the Year – Policyholder Counsel, 2015 • Insurance and Reinsurance Lawyer of the Year – USA, Finance Monthly Global Awards, 2014, 2016 • Leading Lawyer Global 250, Lawyer Monthly magazine in association with The Economist magazine, 2013 • Outstanding Young Lawyer in Insurance Coverage Law, The Registry™ of Business Excellence, American Registry, LLC, 2013 HOLLAND & KNIGHT
• Insurance & Reinsurance Law Firm of the Year - USA, Global Leading Lawyer, 2017 • Insurance Law Firm of the Year – USA (DC), ACQ5 Law Awards, 2017 • D&O Liability Insurance Law Firm of the Year – USA (DC), ACQ5 Law Awards, 2017 • Best Insurance Law Firm – USA, Acquisition International, 2016 • Global Awards – D&O Liability Insurance, Corporate LiveWire, 2016
www.hklaw.com